[Freeipa-devel] [PATCH] Use more krb
Simo Sorce
ssorce at redhat.com
Mon Oct 1 16:41:24 UTC 2007
On Mon, 2007-10-01 at 12:19 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > This patch changes a bit of code to rely more on kerberos.
> >
> > It also changes ipa-adduser to something I think is a more useful
> > workflow, it does not require an email for example as we don't need it.
> > Instead it allows passing a principal name in case you need to create
> > specific one or want to avoid conflicts with an exiting one.
>
> What about the other tools?
Working on it while I explore the code.
Any "must do" pointers are very welcome.
> > This patch also removes some classes we don't want to use by default for
> > users.
> >
> > Note: this patch may not apply cleanly as a pull from upstream after the
> > commit required me a merge. I have the merge patch in my tree so just
> > ack/nack it and I will push both the patch and the merge patch at the
> > same time.
>
> I'd rather ack the actual patch that is going to be committed.
>
> Other comments in-line in the code, marked by []
>
> [ E-mail is required in the GUI so I made it required here for
> consistency. ]
Ah I see, then I guess we should remove the requirement in the GUI.
Service accounts may very well not have an email anyway.
> [ /home should not be hardcoded here. It is currently hardcoded on the
> server side. This needs not be hardcoded anywhere but should be stored
> in LDAP somewhere. I'd rather not have to fix both places in the future
> though. ]
Uhmmm ... make sense, I will think how to best fix this in a following patch.
> [ Why not add groups at the same time? ]
I think it is a bit too much to list groups in interactive mode.
Unattended is different.
> diff -r e950c62a04f9 -r fbee5ea59a1f ipa-python/freeipa-python.spec
> --- a/ipa-python/freeipa-python.spec Fri Sep 28 14:55:28 2007 -0400
> +++ b/ipa-python/freeipa-python.spec Mon Oct 01 11:35:40 2007 -0400
> @@ -10,7 +10,7 @@ BuildRoot: %{_tmppath}/%{name}-%{ve
> BuildRoot:
> %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
> BuildArch: noarch
>
> -Requires: python PyKerberos python-krbV
> +Requires: python PyKerberos
>
> [ This looks like a mis-merge. python-krbV is required now ]
Seem it is not in the current pushed code.
Have you added this in some patches not yet pushed?
> @@ -350,8 +360,7 @@ class IPAServer:
> # FIXME: What is the default group for users?
> user['gidnumber'] = '501'
>
> - realm = ipa.config.config.get_realm()
> - user['krbprincipalname'] = "%s@%s" % (user.get('uid'), realm)
> + user['krbprincipalname'] = "%s@%s" % (user.get('uid'),
> self.realm)
>
> [ You need to check to see if krbprincipalname is already set ]
Good catch thanks.
> - user_dn = self.get_user_by_uid(uid, ['dn', 'uid',
> 'objectclass'], opts)
> - if user_dn is None:
> + user = self.get_user_by_principal(principal,
> ['krbprincipalname'], opts)
> + if user is None or user['krbprincipalname'] != principal:
> raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
>
> [ If you do a search on principal how could user['principalname] ever !=
> principal? ]
Just paranoia checking :-)
Simo.
More information about the Freeipa-devel
mailing list