[Freeipa-devel] [PATCH 64] Implement password based session login

[Rob Crittenden]

John Dennis wrote:
> Attached is a revised patch, it addresses the following concerns raised
> during review:
>
> * The version in ipa.conf has been bumped.
>
> * Rob reported duplicate session cookies being returned. As far as I can
> tell this was due to a Python bug where it reused the value of a default
> keyword parameter from a previous invocation rather than re-initializing
> it. Workaround is to change the default value from [] to the value to
> None and create an empty list if the arg is None.
>
> * Rob reported two test failures, one for ERRNO (e.g. **1234**) not
> being present in the docstring for an error I added and the other was
> for a change in the wsgi dispatch route() method that showed up in
> test_rpcserver.py

The Requires on krb5-workstation is not required. The server requires 
the client which requires it.

I think you need a more unique way of generating the ccache name when 
doing the kinit (I'd use tempfile.mkstemp).

There is an incorrect comment in internal_error()

You want to return 401 Unauthorized and not 403 Forbidden on password 
failures.

We shouldn't support the GET method as the password will appear in the logs:

192.168.0.1 - - [27/Feb/2012:13:46:31 -0500] "GET 
/ipa/session/login_password?user=admin&password=password HTTP/1.1" 200 -

rog