On Thu, 06 Feb 2014, Petr Vobornik wrote:
On 5.2.2014 18:54, Alexander Bokovoy wrote:
On Wed, 05 Feb 2014, Nathaniel McCallum wrote:
On Tue, 2014-01-21 at 17:45 +0100, Petr Vobornik wrote:
from ipaserver.dcerpc import DomainValidator
Patch 541 is NACK because ipaserver.dcerpc only exists in
freeipa-server-trust-ad.
I agree. Instead of modifying a highly specialized code in
ipaserver.dcerpc, you can extend a general purpose kinit code in
ipapython/ipautil.py or add a separate one there to handle FAST part.
I've implemented new version of patch 541 which doesn't use dcerpc
module (attached).
This new version might be incorrect as well. The new form based login
works as follows:
- calls kinit with HTTP keytab to get armor ccache
- calls kinit with user credantials and armor_ccache
- calls kdestroy to cleanup the armor_ccache
It was inspired by existing code in dcerpc.py and rpcserver.py.
The question is whether we should avoid calling sub-processes and
rather use krbV lib as in ipapython.ipautil.kinit_hostprincipal. Rob
mentioned that subprocess calls within Apache are quite expensive.
Yes, they are. Given that it only needs to happen once per session
setup, it might be affordable in most cases.
The main issue, however, is whether krbV supports using
armor ccache or not. Looking at the code, it seems it is possible to do
double rotation, by passing an existing ccache object and using a
different principal but the code fails:
# python
Python 2.7.5 (default, Nov 12 2013, 16:45:54)
[GCC 4.8.2 20131017 (Red Hat 4.8.2-1)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
import krbV
cc=krbV.CCache(primary_principal=krbV.Principal('host/masteripa.ipa.weald.vda.li'))
cc1=krbV.CCache(ccache=cc,primary_principal=krbV.Principal('admin'))
Segmentation fault
#
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
