URL: https://github.com/freeipa/freeipa/pull/1466
Author: flo-renaud
 Title: #1466: [Backport][ipa-4-6] Documenting kinit_lifetime in 
/etc/ipa/default.conf
Action: opened

PR body:
"""
This PR was opened automatically because PR #1425 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1466/head:pr1466
git checkout pr1466
From 7688222994795dcbce7ec1b940824cac898c961b Mon Sep 17 00:00:00 2001
From: amitkuma <amitk...@redhat.com>
Date: Tue, 2 Jan 2018 21:05:27 +0530
Subject: [PATCH] Documenting kinit_lifetime in /etc/ipa/default.conf

Describing the parameter kinit_lifetime that allows to limit the lifetime of ticket obtained by users authenticating to the WebGUI using login/password. Removing session_auth_duration and session_duration_type since these parameters are not relevant anymore.

Resolves: https://pagure.io/freeipa/issue/7333
---
 client/man/default.conf.5          | 9 +++------
 install/ui/test/data/ipa_init.json | 2 --
 ipalib/constants.py                | 5 -----
 pylint_plugins.py                  | 2 --
 4 files changed, 3 insertions(+), 15 deletions(-)

diff --git a/client/man/default.conf.5 b/client/man/default.conf.5
index 35ce6bb9f8..f21d9d5b7a 100644
--- a/client/man/default.conf.5
+++ b/client/man/default.conf.5
@@ -107,6 +107,9 @@ This is used in development and is generally a detected value. It means that the
 .B interactive <boolean>
 Specifies whether values should be prompted for or not. The default is True.
 .TP
+.B kinit_lifetime <time duration spec>
+Controls the lifetime of ticket obtained by users authenticating to the WebGUI using login/password. The expected format is a time duration string. Examples are "2 hours", "1h:30m", "10 minutes", "5min, 30sec". When the parameter is not set in default.conf, the ticket will have a duration inherited from the default value for kerberos clients, that can be set as ticket_lifetime in krb5.conf. When the ticket lifetime has expired, the ticket is not valid anymore and the GUI will prompt to re-login with a message "Your session has expired. Please re-login."
+.TP
 .B ldap_uri <URI>
 Specifies the URI of the IPA LDAP server to connect to. The URI scheme may be one of \fBldap\fR or \fBldapi\fR. The default is to use ldapi, e.g. ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-COM.socket
 .TP
@@ -157,12 +160,6 @@ Specifies the name of the CA back end to use. The current options are \fBdogtag\
 .B realm <realm>
 Specifies the Kerberos realm.
 .TP
-.B session_auth_duration <time duration spec>
-Specifies the length of time authentication credentials cached in the session are valid. After the duration expires credentials will be automatically reacquired. Examples are "2 hours", "1h:30m", "10 minutes", "5min, 30sec".
-.TP
-.B session_duration_type <inactivity_timeout|from_start>
-Specifies how the expiration of a session is computed. With \fBinactivity_timeout\fR the expiration time is advanced by the value of session_auth_duration everytime the user accesses the service. With \fBfrom_start\fR the session expiration is the start of the user's session plus the value of session_auth_duration.
-.TP
 .B server <hostname>
 Specifies the IPA Server hostname.
 .TP
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index b4fd80814c..dd4b84cc92 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -920,7 +920,6 @@
                "container_sysaccounts" : "cn=sysaccounts,cn=etc",
                "dogtag_version" : 10,
                "container_rolegroup" : "cn=roles,cn=accounts",
-               "session_duration_type" : "inactivity_timeout",
                "container_s4u2proxy" : "cn=s4u2proxy,cn=etc",
                "container_automount" : "cn=automount",
                "ca_host" : "vm.example.com",
@@ -942,7 +941,6 @@
                "enable_ra" : true,
                "container_trusts" : "cn=trusts",
                "container_policygroups" : "cn=policygroups,cn=configs,cn=policies",
-               "session_auth_duration" : "20 minutes",
                "container_realm_domains" : "cn=Realm Domains,cn=ipa,cn=etc",
                "in_tree" : false,
                "realm" : "DOM.EXAMPLE.COM",
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 7e1c72d588..9ae6e0aaae 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -157,11 +157,6 @@
     ('webui_prod', True),
 
     # Session stuff:
-
-    # Maximum time before a session expires forcing credentials to be reacquired.
-    ('session_auth_duration', '20 minutes'),
-    # How a session expiration is computed, see SessionManager.set_session_expiration_time()
-    ('session_duration_type', 'inactivity_timeout'),
     ('kinit_lifetime', None),
 
     # Debugging:
diff --git a/pylint_plugins.py b/pylint_plugins.py
index 594393a36f..8098d4531a 100644
--- a/pylint_plugins.py
+++ b/pylint_plugins.py
@@ -67,8 +67,6 @@ def fake_class(name_or_class_obj, members=()):
 fake_api_env = {'env': [
     'host',
     'realm',
-    'session_auth_duration',
-    'session_duration_type',
     'kinit_lifetime',
 ]}
 
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to