Dmitri Pal wrote:
On 12/12/2011 07:15 PM, Simo Sorce wrote:
On Mon, 2011-12-12 at 15:22 -0500, Rob Crittenden wrote:
This patch adds support for s4u2proxy. This means that the Apache
server
will obtain the ldap service ticket on behalf of the user rather than
the using having to send their TGT. The user's ticket still needs to
be
forwardable, we just don't require it to be forwarded any more.
Should we make the patch allow the old behavior by using a switch that
revert to forwarding the TGT ?
It would be useful during upgrades if some of your servers still need
forwarded TGTs, or if you want to use a newer client against an old
server while you have the newer stuff under test.
(And to test in general).
Simo.
+1
Updated patch attached.
rob
>From 03a2c9a536811437e4847e1c6b11d2ac0eff98f2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 8 Dec 2011 14:23:18 -0500
Subject: [PATCH] Don't set delegation flag in client, we're using S4U2Proxy
now
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegation, is available if
the old behavior is required.
https://fedorahosted.org/freeipa/ticket/1098
---
ipa.1 | 3 +++
ipalib/backend.py | 2 +-
ipalib/constants.py | 1 +
ipalib/plugable.py | 5 ++++-
ipalib/rpc.py | 24 +++++++++++++++++-------
5 files changed, 26 insertions(+), 9 deletions(-)
diff --git a/ipa.1 b/ipa.1
index 4c8ba377effba3324de4d2c9c0e5898f2e9fa2b9..91432a0afa3e2e88d744505234b2b459cbd6b77e 100644
--- a/ipa.1
+++ b/ipa.1
@@ -37,6 +37,9 @@ Load configuration from \fIFILE\fR.
\fB\-d\fR, \fB\-\-debug\fR
Produce full debugging output.
.TP
+\fB\-\-\-delegate\fR
+Delegate the user's TGT to the IPA server
+.TP
\fB\-e\fR \fIKEY=VAL\fR
Set environmental variable \fIKEY\fR to the value \fIVAL\fR. This option overrides configuration files.
.TP
diff --git a/ipalib/backend.py b/ipalib/backend.py
index 79f190832b72f3e41ff0d6b0a4dcf619b35ded37..7ed378e888880e1a0a209116ea8b73f8192a1ef5 100644
--- a/ipalib/backend.py
+++ b/ipalib/backend.py
@@ -110,7 +110,7 @@ class Executioner(Backend):
self.Backend.ldap2.connect(ccache=ccache)
else:
self.Backend.xmlclient.connect(verbose=(self.env.verbose >= 2),
- fallback=self.env.fallback)
+ fallback=self.env.fallback, delegate=self.env.delegate)
if client_ip is not None:
setattr(context, "client_ip", client_ip)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 96cf3ba604d0a53e687a76d01ab0b9b7b3e185fb..c6b3b63ffcb0bee8b21997a32e9e86e76b5576fe 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -133,6 +133,7 @@ DEFAULT_CONFIG = (
('prompt_all', False),
('interactive', True),
('fallback', True),
+ ('delegate', False),
# Enable certain optional plugins:
('enable_ra', False),
diff --git a/ipalib/plugable.py b/ipalib/plugable.py
index e0b6e7f968ca16c3fed4667ba1d972edf5262546..4d0011029573df44d8d5e85e0e2b2a3f872c0703 100644
--- a/ipalib/plugable.py
+++ b/ipalib/plugable.py
@@ -530,6 +530,9 @@ class API(DictProxy):
parser.add_option('-d', '--debug', action='store_true',
help='Produce full debuging output',
)
+ parser.add_option('--delegate', action='store_true',
+ help='Delegate the TGT to the IPA server',
+ )
parser.add_option('-v', '--verbose', action='count',
help='Produce more verbose output. A second -v displays the XML-RPC request',
)
@@ -570,7 +573,7 @@ class API(DictProxy):
pass
overrides[str(key.strip())] = value.strip()
for key in ('conf', 'debug', 'verbose', 'prompt_all', 'interactive',
- 'fallback'):
+ 'fallback', 'delegate'):
value = getattr(options, key, None)
if value is not None:
overrides[key] = value
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 8ec3a2f2706f6a18216ea8cfc74bc50b21159d31..4670283c99118e9804e13599337c3fe000c17617 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -234,6 +234,7 @@ class KerbTransport(SSLTransport):
"""
Handles Kerberos Negotiation authentication to an XML-RPC server.
"""
+ flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG
def _handle_exception(self, e, service=None):
(major, minor) = ipautil.get_gsserror(e)
@@ -259,10 +260,7 @@ class KerbTransport(SSLTransport):
service = "HTTP@" + host.split(':')[0]
try:
- (rc, vc) = kerberos.authGSSClientInit(service,
- kerberos.GSS_C_DELEG_FLAG |
- kerberos.GSS_C_MUTUAL_FLAG |
- kerberos.GSS_C_SEQUENCE_FLAG)
+ (rc, vc) = kerberos.authGSSClientInit(service, self.flags)
except kerberos.GSSError, e:
self._handle_exception(e)
@@ -286,6 +284,14 @@ class KerbTransport(SSLTransport):
return (host, extra_headers, x509)
+class DelegatedKerbTransport(KerbTransport):
+ """
+ Handles Kerberos Negotiation authentication and TGT delegation to an
+ XML-RPC server.
+ """
+ flags = kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | \
+ kerberos.GSS_C_SEQUENCE_FLAG
+
class xmlclient(Connectible):
"""
Forwarding backend plugin for XML-RPC client.
@@ -305,7 +311,7 @@ class xmlclient(Connectible):
"""
if not hasattr(self.conn, '_ServerProxy__transport'):
return None
- if isinstance(self.conn._ServerProxy__transport, KerbTransport):
+ if type(self.conn._ServerProxy__transport) in (KerbTransport, DelegatedKerbTransport):
scheme = "https"
else:
scheme = "http"
@@ -339,14 +345,18 @@ class xmlclient(Connectible):
return servers
- def create_connection(self, ccache=None, verbose=False, fallback=True):
+ def create_connection(self, ccache=None, verbose=False, fallback=True,
+ delegate=False):
servers = self.get_url_list()
serverproxy = None
for server in servers:
kw = dict(allow_none=True, encoding='UTF-8')
kw['verbose'] = verbose
if server.startswith('https://'):
- kw['transport'] = KerbTransport()
+ if delegate:
+ kw['transport'] = DelegatedKerbTransport()
+ else:
+ kw['transport'] = KerbTransport()
else:
kw['transport'] = LanguageAwareTransport()
self.log.info('trying %s' % server)
--
1.7.6
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
