URL: https://github.com/freeipa/freeipa/pull/855 Author: simo5 Title: #855: Prevent issues with older clients Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/855/head:pr855 git checkout pr855
From 0dfb66a8269baaf6b8fd18ba149dd1e2fa812a7b Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 5 Jun 2017 09:50:22 -0400 Subject: [PATCH 1/2] Add code to be able to set default kinit lifetime This is done by setting the kinit_lifetime option in default.conf to a value that can be passed in with the -l option syntax of kinit. https://pagure.io/freeipa/issue/7001 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipalib/constants.py | 1 + ipalib/install/kinit.py | 5 ++++- ipaserver/rpcserver.py | 3 ++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 5279b64789..ab466bab7f 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -155,6 +155,7 @@ ('session_auth_duration', '20 minutes'), # How a session expiration is computed, see SessionManager.set_session_expiration_time() ('session_duration_type', 'inactivity_timeout'), + ('kinit_lifetime', None), # Debugging: ('verbose', 0), diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py index 73471f103e..91ea5132aa 100644 --- a/ipalib/install/kinit.py +++ b/ipalib/install/kinit.py @@ -63,7 +63,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): def kinit_password(principal, password, ccache_name, config=None, armor_ccache_name=None, canonicalize=False, - enterprise=False): + enterprise=False, lifetime=None): """ perform interactive kinit as principal using password. If using FAST for web-based authentication, use armor_ccache_path to specify http service @@ -76,6 +76,9 @@ def kinit_password(principal, password, ccache_name, config=None, % armor_ccache_name) args.extend(['-T', armor_ccache_name]) + if lifetime: + args.extend(['-l', lifetime]) + if canonicalize: root_logger.debug("Requesting principal canonicalization") args.append('-C') diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 32f286148b..2990df2598 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -969,7 +969,8 @@ def kinit(self, principal, password, ccache_name): password, ccache_name, armor_ccache_name=armor_path, - enterprise=True) + enterprise=True, + lifetime=self.api.env.kinit_lifetime) if armor_path: self.debug('Cleanup the armor ccache') From 4111ddd88173bce8811a165c2eca94c9e49e079e Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Tue, 6 Jun 2017 09:04:58 -0400 Subject: [PATCH 2/2] Revert setting sessionMaxAge for old clients Older clients have issues properly parsing cookies and the sessionMaxAge setting is one of those that breaks them. Comment out the setting and add a comment that explains why it is not set by default. https://pagure.io/freeipa/issue/7001 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/conf/ipa.conf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index a7ca5ce715..01bf9a4f97 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 26 - DO NOT REMOVE THIS LINE +# VERSION 27 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -77,7 +77,9 @@ WSGIScriptReloading Off Session On SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION - SessionMaxAge 1800 + # Uncomment the following to have shorter sessions, but beware this may break + # old IPA client tols that incorrectly parse cookies. + # SessionMaxAge 1800 GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiImpersonate On
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
