[Freeipa-devel] [PATCH] 357 Use fully qualified CCACHE names

Alexander Bokovoy abokovoy at redhat.com
Thu Jan 31 16:01:22 UTC 2013 

On Wed, 30 Jan 2013, Martin Kosek wrote:
>Some parts of install scripts used only ccache name as returned by
>krbV.CCache.name attribute. However, when this name is used again
>to initialize krbV.CCache object or when it is used in KRB5CCNAME
>environmental variable, it fails for new DIR type of CCACHE.
>
>We should always use both CCACHE type and name when referring to
>them to avoid these crashes. ldap2 backend was also updated to
>accept directly krbV.CCache object which contains everything we need
>to authenticate with ccache.
>
>https://fedorahosted.org/freeipa/ticket/3381
Minor comment: there are few cleanups of 'import krbV' in places where
Kerberos functions are not used. Maybe it would be better to separate
them into their own patch to avoid rebasing issues in future?

>Please note, that this fix is rather a short/medium-term fix for Fedora 18. In
>a long term we should consolidate our CCACHE manipulation code, it now uses
>several different wrappers or just uses krbV python library directly. I did not
>do any global refactoring in this patch, this should be done after we decide if
>we want to create a new, more usable krb5 library bindings as was already
>discussed in the past.
Yes. John has published his current code for new Python bindings to
libkrb5 at https://github.com/jdennis/python-krb. It is far from
finished but gives more pythony feeling and additional contributions are
highly welcomed.

Once it is ready, we can start looking migrating to it.

> from ipalib import api, errors
> from ipalib.crud import CrudBackend
> from ipalib.request import context
>@@ -783,7 +781,7 @@ class ldap2(CrudBackend):
> 
>         Keyword arguments:
>         ldapuri -- the LDAP server to connect to
>-        ccache -- Kerberos V5 ccache name
>+        ccache -- Kerberos V5 ccache object or name
>         bind_dn -- dn used to bind to the server
>         bind_pw -- password used to bind to the server
>         debug_level -- LDAP debug level option
>@@ -821,10 +819,17 @@ class ldap2(CrudBackend):
>                 if maxssf < minssf:
>                     conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf)
>             if ccache is not None:
>+                if isinstance(ccache, krbV.CCache):
>+                    principal = ccache.principal().name
>+                    # get a fully qualified CCACHE name (schema+name)
>+                    ccache = "%(type)s:%(name)s" % dict(type=ccache.type,
>+                                                        name=ccache.name)
May be a comment could be added here that we don't use krbV.CCache
instance afterwards and it is OK to override refernce to it by a
string?

>+                else:
>+                    principal = krbV.CCache(name=ccache,
>+                        context=krbV.default_context()).principal().name
>+
>                 os.environ['KRB5CCNAME'] = ccache
>                 conn.sasl_interactive_bind_s(None, SASL_AUTH)
>-                principal = krbV.CCache(name=ccache,
>-                            context=krbV.default_context()).principal().name
>                 setattr(context, 'principal', principal)
>             else:
>                 # no kerberos ccache, use simple bind or external sasl

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list