markt-asf commented on PR #819: URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668831744
> It is not that easy and I do not agree with that. Here are cases which will not work: As the OP has indicated, they are already using a solution along these lines and it works for them. > * SPNEGO is performed, but access through LDAP uses a service account to perform a single or SASL bind. Hence, no delegated credential is used. This works already. If the delegated credential is presented, it will be used. > * User comes from one realm, but domain controller is in another realm. While Kerberos perfectly supports cross-realm authentication, neither a simple bind nor a non-GSSAPI SASL bind will work. Then it doesn't work. Things are no worse than they are now. > Yet another problem is that you degrade from a strong authentication method to a weaker one. That is the application developers choice to do that. This happens already if `authentication="GSSAPI"` is not set. We can add a note to the docs to clarify how this is handled. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org