Skip to content

Commit

Permalink
The http service name is HTTP
Browse files Browse the repository at this point in the history 
Service names are generally case sensitive in Kerberos implementations (with
the notable exception of Microsoft Active Directory that treats them in a
case-insensitive way). For unknown reasons the service name used for the
http protocol has been historically uppercased. So the examples should use
HTTP otherwise implementors may use http and fail to interoperate with
servers that follow the proper case sensitivity rules for Kerberos principal
names as defined in RFC4120.

Signed-off-by: Simo Sorce <simo@redhat.com>
  • Loading branch information
@simo5
simo5 committed Nov 23, 2016
1 parent 12aa6af commit fc03492
Showing 1 changed file with 7 additions and 7 deletions.
14 changes: 7 additions & 7 deletions docs/source/basic-tutorial.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,12 +43,12 @@ Suppose we wanted to refer to an HTTP server on the current host.
We could refer to it as a *host-based service*, or in the default
mechanism form (in this case, for krb5):

>>> server_hostbased_name = gssapi.Name('http@' + FQDN, name_type=gssapi.NameType.hostbased_service)
>>> server_hostbased_name = gssapi.Name('HTTP@' + FQDN, name_type=gssapi.NameType.hostbased_service)
>>> server_hostbased_name
Name(b'http@sross', <OID 1.2.840.113554.1.2.1.4>)
>>> server_name = gssapi.Name('http/sross@')
Name(b'HTTP@sross', <OID 1.2.840.113554.1.2.1.4>)
>>> server_name = gssapi.Name('HTTP/sross@')
>>> server_name
Name(b'http/sross@', None)
Name(b'HTTP/sross@', None)
>>>

These are both effectively the same, but if we *canonicalize* both
Expand All @@ -75,11 +75,11 @@ Credentials may be acquired for a particular name, or the default set
of credentials may be acquired.

For instance, suppose that we are writing a server, and wish to
communicate accept connections as the 'http' service. We would need
communicate accept connections as the 'HTTP' service. We would need
to acquire credentials as such:

>>> REALM.addprinc('http/%s@%s' % (FQDN, REALM.realm))
>>> REALM.extract_keytab('http/%s@%s' % (FQDN, REALM.realm), REALM.keytab)
>>> REALM.addprinc('HTTP/%s@%s' % (FQDN, REALM.realm))
>>> REALM.extract_keytab('HTTP/%s@%s' % (FQDN, REALM.realm), REALM.keytab)
>>> server_creds = gssapi.Credentials(usage='accept', name=server_name)
>>>

Expand Down

0 comments on commit fc03492

Please sign in to comment.