Hi, I have edited this patch after review. It should be okay now.
Thank you. On Thu, Aug 11, 2016 at 7:49 PM, Petr Vobornik <[email protected]> wrote: > On 08/11/2016 07:21 PM, Martin Basti wrote: > > > > > > On 11.08.2016 18:57, Pavel Vomacka wrote: > >> > >> > >> On 08/11/2016 02:00 PM, Petr Vobornik wrote: > >>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote: > >>>> On Thu, 11 Aug 2016, Jan Cholasta wrote: > >>>>> On 4.8.2016 17:27, Jan Pazdziora wrote: > >>>>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote: > >>>>>>> Got it. One thing I would correct, though, -- don't use > >>>>>>> kadmin.local, we > >>>>>>> do support setting ok_as_delegate on the service principals via IPA > >>>>>>> CLI: > >>>>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate > >>>>>>> --ok-as-delegate=BOOL > >>>>>>> Client credentials may be delegated to the > >>>>>>> service > >>>>>> I've tried > >>>>>> > >>>>>> ipa service-mod --ok-as-delegate=True HTTP/$(hostname) > >>>>>> > >>>>>> but that does not seem to have the same effect as > >>>>>> > >>>>>> modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test > >>>>>> > >>>>>> -- obtaining the delegated certificated fails. > >>>>> That's because ok_as_delegate and ok_to_auth_as_delegate are > different > >>>>> flags. > >>>> Right. The following patch adds ok_to_auth_as_delegate to the service > >>>> principal. > >>>> > >>>> I haven't added any tickets to it yet. > >>>> > >>>> > >>> This might deserve also nice Web UI checkbox similar to "Trusted for > >>> delegation". CCing Pavel. > >>> > >> Here is patch with new checkbox. It is without ticket in commit message > so > >> once we will have the ticket I will send another patch witch updated > commit > >> message. > > > > https://fedorahosted.org/freeipa/newticket > > > > ;-) > > It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we > might use that. > > > >> > >> > >> > > > > > > > > > -- > Petr Vobornik > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -- Tibor Dudlák Intern - Identity management Special Projects Red Hat
From 9c6c302c8ae2a5108d7ccfe98520c43926fd75bf Mon Sep 17 00:00:00 2001 From: Tiboris <[email protected]> Date: Tue, 16 Aug 2016 14:13:29 +0200 Subject: [PATCH] Added new authentication method Addressing ticket https://fedorahosted.org/freeipa/ticket/5764 --- ipaserver/plugins/xmlserver.py | 3 ++- ipaserver/rpcserver.py | 17 +++++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py index d8fe24e0cb407603e9898e934229c9373f3c8b62..1843c0568543951f2c817616d9e988deaab47056 100644 --- a/ipaserver/plugins/xmlserver.py +++ b/ipaserver/plugins/xmlserver.py @@ -28,12 +28,13 @@ register = Registry() if api.env.context in ('server', 'lite'): - from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, sync_token, xmlserver_session + from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_x509, login_password, change_password, sync_token, xmlserver_session register()(wsgi_dispatch) register()(xmlserver) register()(jsonserver_kerb) register()(jsonserver_session) register()(login_kerberos) + register()(login_x509) register()(login_password) register()(change_password) register()(sync_token) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index d036f3c27521f17709672b830d5aa58167c76b34..b45eb5cca43859f20af9d40a84142cfa42c2caa2 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -857,16 +857,16 @@ class jsonserver_kerb(jsonserver, KerberosWSGIExecutioner): key = '/json' -class login_kerberos(Backend, KerberosSession, HTTP_Status): - key = '/session/login_kerberos' +class KerberosLogin(Backend, KerberosSession, HTTP_Status): + key = None def _on_finalize(self): - super(login_kerberos, self)._on_finalize() + super(KerberosLogin, self)._on_finalize() self.api.Backend.wsgi_dispatch.mount(self, self.key) self.kerb_session_on_finalize() def __call__(self, environ, start_response): - self.debug('WSGI login_kerberos.__call__:') + self.debug('WSGI KerberosLogin.__call__:') # Get the ccache created by mod_auth_gssapi user_ccache_name=environ.get('KRB5CCNAME') @@ -876,6 +876,15 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status): return self.finalize_kerberos_acquisition('login_kerberos', user_ccache_name, environ, start_response) + +class login_kerberos(KerberosLogin): + key = '/session/login_kerberos' + + +class login_x509(KerberosLogin) + key = '/session/login_x509' + + class login_password(Backend, KerberosSession, HTTP_Status): content_type = 'text/plain' -- 2.7.4
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
