Hi,

I have edited this patch after review. It should be okay now.

Thank you.

On Thu, Aug 11, 2016 at 7:49 PM, Petr Vobornik <pvobo...@redhat.com> wrote:

> On 08/11/2016 07:21 PM, Martin Basti wrote:
> >
> >
> > On 11.08.2016 18:57, Pavel Vomacka wrote:
> >>
> >>
> >> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
> >>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
> >>>> On Thu, 11 Aug 2016, Jan Cholasta wrote:
> >>>>> On 4.8.2016 17:27, Jan Pazdziora wrote:
> >>>>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
> >>>>>>> Got it. One thing I would correct, though, -- don't use
> >>>>>>> kadmin.local, we
> >>>>>>> do support setting ok_as_delegate on the service principals via IPA
> >>>>>>> CLI:
> >>>>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
> >>>>>>> --ok-as-delegate=BOOL
> >>>>>>>                        Client credentials may be delegated to the
> >>>>>>> service
> >>>>>> I've tried
> >>>>>>
> >>>>>>      ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
> >>>>>>
> >>>>>> but that does not seem to have the same effect as
> >>>>>>
> >>>>>>      modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
> >>>>>>
> >>>>>> -- obtaining the delegated certificated fails.
> >>>>> That's because ok_as_delegate and ok_to_auth_as_delegate are
> different
> >>>>> flags.
> >>>> Right. The following patch adds ok_to_auth_as_delegate to the service
> >>>> principal.
> >>>>
> >>>> I haven't added any tickets to it yet.
> >>>>
> >>>>
> >>> This might deserve also nice Web UI checkbox similar to "Trusted for
> >>> delegation". CCing Pavel.
> >>>
> >> Here is patch with new checkbox. It is without ticket in commit message
> so
> >> once we will have the ticket I will send another patch witch updated
> commit
> >> message.
> >
> > https://fedorahosted.org/freeipa/newticket
> >
> > ;-)
>
> It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we
> might use that.
> >
> >>
> >>
> >>
> >
> >
> >
>
>
> --
> Petr Vobornik
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>



-- 
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
From 9c6c302c8ae2a5108d7ccfe98520c43926fd75bf Mon Sep 17 00:00:00 2001
From: Tiboris <tibor.dud...@gmail.com>
Date: Tue, 16 Aug 2016 14:13:29 +0200
Subject: [PATCH] Added new authentication method

Addressing ticket https://fedorahosted.org/freeipa/ticket/5764
---
 ipaserver/plugins/xmlserver.py |  3 ++-
 ipaserver/rpcserver.py         | 17 +++++++++++++----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py
index d8fe24e0cb407603e9898e934229c9373f3c8b62..1843c0568543951f2c817616d9e988deaab47056 100644
--- a/ipaserver/plugins/xmlserver.py
+++ b/ipaserver/plugins/xmlserver.py
@@ -28,12 +28,13 @@ register = Registry()
 
 
 if api.env.context in ('server', 'lite'):
-    from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, sync_token, xmlserver_session
+    from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_x509, login_password, change_password, sync_token, xmlserver_session
     register()(wsgi_dispatch)
     register()(xmlserver)
     register()(jsonserver_kerb)
     register()(jsonserver_session)
     register()(login_kerberos)
+    register()(login_x509)
     register()(login_password)
     register()(change_password)
     register()(sync_token)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index d036f3c27521f17709672b830d5aa58167c76b34..b45eb5cca43859f20af9d40a84142cfa42c2caa2 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -857,16 +857,16 @@ class jsonserver_kerb(jsonserver, KerberosWSGIExecutioner):
     key = '/json'
 
 
-class login_kerberos(Backend, KerberosSession, HTTP_Status):
-    key = '/session/login_kerberos'
+class KerberosLogin(Backend, KerberosSession, HTTP_Status):
+    key = None
 
     def _on_finalize(self):
-        super(login_kerberos, self)._on_finalize()
+        super(KerberosLogin, self)._on_finalize()
         self.api.Backend.wsgi_dispatch.mount(self, self.key)
         self.kerb_session_on_finalize()
 
     def __call__(self, environ, start_response):
-        self.debug('WSGI login_kerberos.__call__:')
+        self.debug('WSGI KerberosLogin.__call__:')
 
         # Get the ccache created by mod_auth_gssapi
         user_ccache_name=environ.get('KRB5CCNAME')
@@ -876,6 +876,15 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status):
 
         return self.finalize_kerberos_acquisition('login_kerberos', user_ccache_name, environ, start_response)
 
+
+class login_kerberos(KerberosLogin):
+    key = '/session/login_kerberos'
+
+
+class login_x509(KerberosLogin)
+    key = '/session/login_x509'
+
+
 class login_password(Backend, KerberosSession, HTTP_Status):
 
     content_type = 'text/plain'
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to