URL: https://github.com/freeipa/freeipa/pull/547
Author: simo5
Title: #547: Use GSS-SPNEGO if connecting locally
Action: opened
PR body:
"""
GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips
therefore use it when possible.
We only enable it for local connections for now because we only
recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This
change means a newer and an older version are not compatible.
Restricting ourselves to the local host prevents issues with
incompatible services, and it is ok for us as we are only really
looking for speedups for the local short-lived connections performed
by the framework. Most other clients have longer lived connections,
so peformance improvements there are not as important.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/547/head:pr547
git checkout pr547
From 990f35d49602866724849f900e69079c5df6f86b Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Mon, 6 Mar 2017 14:19:30 -0500
Subject: [PATCH] Use GSS-SPNEGO if connecting locally
GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips
therefore use it when possible.
We only enable it for local connections for now because we only
recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This
change means a newer and an older version are not compatible.
Restricting ourselves to the local host prevents issues with
incompatible services, and it is ok for us as we are only really
looking for speedups for the local short-lived connections performed
by the framework. Most other clients have longer lived connections,
so peformance improvements there are not as important.
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipapython/ipaldap.py | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 82d45b9..b158598 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -52,6 +52,7 @@
# Global variable to define SASL auth
SASL_GSSAPI = ldap.sasl.sasl({}, 'GSSAPI')
+SASL_GSS_SPNEGO = ldap.sasl.sasl({}, 'GSS-SPNEGO')
_debug_log_ldap = False
@@ -1112,7 +1113,10 @@ def gssapi_bind(self, server_controls=None, client_controls=None):
Perform SASL bind operation using the SASL GSSAPI mechanism.
"""
with self.error_handler():
- auth_tokens = ldap.sasl.sasl({}, 'GSSAPI')
+ if self._protocol == 'ldapi':
+ auth_tokens = SASL_GSS_SPNEGO
+ else:
+ auth_tokens = SASL_GSSAPI
self._flush_schema()
self.conn.sasl_interactive_bind_s(
'', auth_tokens, server_controls, client_controls)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
