[Freeipa-devel] [PATCH] 531-541 OTP UI
Alexander Bokovoy
abokovoy at redhat.com
Thu Feb 6 13:30:34 UTC 2014
On Thu, 06 Feb 2014, Petr Vobornik wrote:
>On 5.2.2014 18:54, Alexander Bokovoy wrote:
>>On Wed, 05 Feb 2014, Nathaniel McCallum wrote:
>>>On Tue, 2014-01-21 at 17:45 +0100, Petr Vobornik wrote:
>>>>from ipaserver.dcerpc import DomainValidator
>>>
>>>Patch 541 is NACK because ipaserver.dcerpc only exists in
>>>freeipa-server-trust-ad.
>>I agree. Instead of modifying a highly specialized code in
>>ipaserver.dcerpc, you can extend a general purpose kinit code in
>>ipapython/ipautil.py or add a separate one there to handle FAST part.
>>
>
>I've implemented new version of patch 541 which doesn't use dcerpc
>module (attached).
>
>This new version might be incorrect as well. The new form based login
>works as follows:
>- calls kinit with HTTP keytab to get armor ccache
>- calls kinit with user credantials and armor_ccache
>- calls kdestroy to cleanup the armor_ccache
>
>It was inspired by existing code in dcerpc.py and rpcserver.py.
>
>The question is whether we should avoid calling sub-processes and
>rather use krbV lib as in ipapython.ipautil.kinit_hostprincipal. Rob
>mentioned that subprocess calls within Apache are quite expensive.
Yes, they are. Given that it only needs to happen once per session
setup, it might be affordable in most cases.
The main issue, however, is whether krbV supports using
armor ccache or not. Looking at the code, it seems it is possible to do
double rotation, by passing an existing ccache object and using a
different principal but the code fails:
# python
Python 2.7.5 (default, Nov 12 2013, 16:45:54)
[GCC 4.8.2 20131017 (Red Hat 4.8.2-1)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import krbV
>>> cc=krbV.CCache(primary_principal=krbV.Principal('host/masteripa.ipa.weald.vda.li'))
>>> cc1=krbV.CCache(ccache=cc,primary_principal=krbV.Principal('admin'))
Segmentation fault
#
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list