On Wed, 30 Jan 2013, Martin Kosek wrote:
Some parts of install scripts used only ccache name as returned by
krbV.CCache.name attribute. However, when this name is used again
to initialize krbV.CCache object or when it is used in KRB5CCNAME
environmental variable, it fails for new DIR type of CCACHE.

We should always use both CCACHE type and name when referring to
them to avoid these crashes. ldap2 backend was also updated to
accept directly krbV.CCache object which contains everything we need
to authenticate with ccache.

Minor comment: there are few cleanups of 'import krbV' in places where
Kerberos functions are not used. Maybe it would be better to separate
them into their own patch to avoid rebasing issues in future?

Please note, that this fix is rather a short/medium-term fix for Fedora 18. In
a long term we should consolidate our CCACHE manipulation code, it now uses
several different wrappers or just uses krbV python library directly. I did not
do any global refactoring in this patch, this should be done after we decide if
we want to create a new, more usable krb5 library bindings as was already
discussed in the past.
Yes. John has published his current code for new Python bindings to
libkrb5 at https://github.com/jdennis/python-krb. It is far from
finished but gives more pythony feeling and additional contributions are
highly welcomed.

Once it is ready, we can start looking migrating to it.

from ipalib import api, errors
from ipalib.crud import CrudBackend
from ipalib.request import context
@@ -783,7 +781,7 @@ class ldap2(CrudBackend):

        Keyword arguments:
        ldapuri -- the LDAP server to connect to
-        ccache -- Kerberos V5 ccache name
+        ccache -- Kerberos V5 ccache object or name
        bind_dn -- dn used to bind to the server
        bind_pw -- password used to bind to the server
        debug_level -- LDAP debug level option
@@ -821,10 +819,17 @@ class ldap2(CrudBackend):
                if maxssf < minssf:
                    conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf)
            if ccache is not None:
+                if isinstance(ccache, krbV.CCache):
+                    principal = ccache.principal().name
+                    # get a fully qualified CCACHE name (schema+name)
+                    ccache = "%(type)s:%(name)s" % dict(type=ccache.type,
+                                                        name=ccache.name)
May be a comment could be added here that we don't use krbV.CCache
instance afterwards and it is OK to override refernce to it by a

+                else:
+                    principal = krbV.CCache(name=ccache,
+                        context=krbV.default_context()).principal().name
                os.environ['KRB5CCNAME'] = ccache
                conn.sasl_interactive_bind_s(None, SASL_AUTH)
-                principal = krbV.CCache(name=ccache,
-                            context=krbV.default_context()).principal().name
                setattr(context, 'principal', principal)
                # no kerberos ccache, use simple bind or external sasl

/ Alexander Bokovoy

Freeipa-devel mailing list

Reply via email to