On 2015-07-29 11:56, Christian Heimes wrote:
On 2015-07-29 10:09, Michael Šimáček wrote:
GSSAPI doesn't provide any method (that I'm aware of) to get default
ccache name. In most cases this is not needed as we can simply not pass
any name and it will use the default. The ldap plugin had to be adjusted
for this - the connect method now takes new use_gssapi argument, which
can turn on gssapi support without the need to supply explicit ccache
name. The only place where the ccache name is really needed is the test
server, where I use system klist command to obtain it.
You can use ctypes or cffi for the task, too. It's much faster and more
convenient. Here is a quick example how to use ctypes for the function
calls. kdcproxy uses similar code to parse /etc/krb5.conf.
import ctypes
LIBKRB5 = ctypes.CDLL('libkrb5.so.3')
ctx = ctypes.c_void_p()
ccache = ctypes.c_void_p()
LIBKRB5.krb5_init_context(ctypes.byref(ctx))
0
LIBKRB5.krb5_cc_default(ctx, ctypes.byref(ccache))
0
LIBKRB5.krb5_cc_get_type.restype = ctypes.c_char_p
LIBKRB5.krb5_cc_get_name.restype = ctypes.c_char_p
LIBKRB5.krb5_cc_get_type(ctx, ccache)
'KEYRING'
LIBKRB5.krb5_cc_get_name(ctx, ccache)
'persistent:1000:1000'
LIBKRB5.krb5_cc_close(ctx, ccache)
LIBKRB5.krb5_free_context(ctx)
If you like the approach I can write a more safe implementation with
proper error checking.
I didn't use ctypes, because it was advised against on this list:
https://www.redhat.com/archives/freeipa-devel/2012-February/msg00268.html
For the tests it's probably fine, but so is using klist.
It would actually help a lot with getting the default realm name, but
I'm afraid that the second point about problems with ctypes and SELinux
in httpd still holds.
Michael
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
