[Freeipa-devel] [PATCH] 357 Use fully qualified CCACHE names
Martin Kosek
mkosek at redhat.com
Thu Jan 31 16:26:40 UTC 2013
On 01/31/2013 05:01 PM, Alexander Bokovoy wrote:
> On Wed, 30 Jan 2013, Martin Kosek wrote:
>> Some parts of install scripts used only ccache name as returned by
>> krbV.CCache.name attribute. However, when this name is used again
>> to initialize krbV.CCache object or when it is used in KRB5CCNAME
>> environmental variable, it fails for new DIR type of CCACHE.
>>
>> We should always use both CCACHE type and name when referring to
>> them to avoid these crashes. ldap2 backend was also updated to
>> accept directly krbV.CCache object which contains everything we need
>> to authenticate with ccache.
>>
>> https://fedorahosted.org/freeipa/ticket/3381
> Minor comment: there are few cleanups of 'import krbV' in places where
> Kerberos functions are not used. Maybe it would be better to separate
> them into their own patch to avoid rebasing issues in future?
Sure, good idea. Attaching both patches.
>
>> Please note, that this fix is rather a short/medium-term fix for Fedora 18. In
>> a long term we should consolidate our CCACHE manipulation code, it now uses
>> several different wrappers or just uses krbV python library directly. I did not
>> do any global refactoring in this patch, this should be done after we decide if
>> we want to create a new, more usable krb5 library bindings as was already
>> discussed in the past.
> Yes. John has published his current code for new Python bindings to
> libkrb5 at https://github.com/jdennis/python-krb. It is far from
> finished but gives more pythony feeling and additional contributions are
> highly welcomed.
>
> Once it is ready, we can start looking migrating to it.
Agreed. During the migration, it would then make sense to also refactor and
consolidate a our CCACHE manupulation code.
>
>> from ipalib import api, errors
>> from ipalib.crud import CrudBackend
>> from ipalib.request import context
>> @@ -783,7 +781,7 @@ class ldap2(CrudBackend):
>>
>> Keyword arguments:
>> ldapuri -- the LDAP server to connect to
>> - ccache -- Kerberos V5 ccache name
>> + ccache -- Kerberos V5 ccache object or name
>> bind_dn -- dn used to bind to the server
>> bind_pw -- password used to bind to the server
>> debug_level -- LDAP debug level option
>> @@ -821,10 +819,17 @@ class ldap2(CrudBackend):
>> if maxssf < minssf:
>> conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf)
>> if ccache is not None:
>> + if isinstance(ccache, krbV.CCache):
>> + principal = ccache.principal().name
>> + # get a fully qualified CCACHE name (schema+name)
>> + ccache = "%(type)s:%(name)s" % dict(type=ccache.type,
>> + name=ccache.name)
> May be a comment could be added here that we don't use krbV.CCache
> instance afterwards and it is OK to override refernce to it by a
> string?
Comment added.
>
>> + else:
>> + principal = krbV.CCache(name=ccache,
>> + context=krbV.default_context()).principal().name
>> +
>> os.environ['KRB5CCNAME'] = ccache
>> conn.sasl_interactive_bind_s(None, SASL_AUTH)
>> - principal = krbV.CCache(name=ccache,
>> - context=krbV.default_context()).principal().name
>> setattr(context, 'principal', principal)
>> else:
>> # no kerberos ccache, use simple bind or external sasl
>
Updated patches attached.
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-357.1-2-remove-unused-krbv-imports.patch
Type: text/x-patch
Size: 2305 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130131/5a0db7a4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-357.2-2-use-fully-qualified-ccache-names.patch
Type: text/x-patch
Size: 5935 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130131/5a0db7a4/attachment-0001.bin>
More information about the Freeipa-devel
mailing list