Rob Crittenden wrote:
This adds client session support. The session key is stored in the
kernel key ring.

Your first request should go to /ipa/session/xml where it should be
rejected with a 401. The next will go to /ipa/xml which will be
accepted. This should all be invisible to the client.

Subsequent requests should go to /ipa/session/xml which should let you
in with the cookie.

You can add the -vv option after ipa to see fully what is going on, e.g.
ipa -vv user-show admin

To manage your keyring use the keyctl command like:

$ keyctl list @s
2 keys in keyring:
353548226: --alswrv 1000 -1 keyring: _uid.1000
941350591: --alswrv 1000 1000 user: ipa_session_cookie

To remove a key:

$ keyctl unlink 941350591 @s


Hmm, this doesn't play too nice with the lite-server. Let me see if I can track it down. The ccache is being removed, probably as part of the session code. Sessions don't make sense with the lite server since it uses the local ccache directly.


Freeipa-devel mailing list

Reply via email to