[Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi
Michael Šimáček
msimacek at redhat.com
Thu Jul 30 13:06:46 UTC 2015
On 2015-07-29 11:56, Christian Heimes wrote:
> On 2015-07-29 10:09, Michael Šimáček wrote:
>> GSSAPI doesn't provide any method (that I'm aware of) to get default
>> ccache name. In most cases this is not needed as we can simply not pass
>> any name and it will use the default. The ldap plugin had to be adjusted
>> for this - the connect method now takes new use_gssapi argument, which
>> can turn on gssapi support without the need to supply explicit ccache
>> name. The only place where the ccache name is really needed is the test
>> server, where I use system klist command to obtain it.
>
> You can use ctypes or cffi for the task, too. It's much faster and more
> convenient. Here is a quick example how to use ctypes for the function
> calls. kdcproxy uses similar code to parse /etc/krb5.conf.
>
>>>> import ctypes
>>>> LIBKRB5 = ctypes.CDLL('libkrb5.so.3')
>>>> ctx = ctypes.c_void_p()
>>>> ccache = ctypes.c_void_p()
>>>> LIBKRB5.krb5_init_context(ctypes.byref(ctx))
> 0
>>>> LIBKRB5.krb5_cc_default(ctx, ctypes.byref(ccache))
> 0
>>>> LIBKRB5.krb5_cc_get_type.restype = ctypes.c_char_p
>>>> LIBKRB5.krb5_cc_get_name.restype = ctypes.c_char_p
>>>> LIBKRB5.krb5_cc_get_type(ctx, ccache)
> 'KEYRING'
>>>> LIBKRB5.krb5_cc_get_name(ctx, ccache)
> 'persistent:1000:1000'
>>>> LIBKRB5.krb5_cc_close(ctx, ccache)
>>>> LIBKRB5.krb5_free_context(ctx)
>
> If you like the approach I can write a more safe implementation with
> proper error checking.
>
I didn't use ctypes, because it was advised against on this list:
https://www.redhat.com/archives/freeipa-devel/2012-February/msg00268.html
For the tests it's probably fine, but so is using klist.
It would actually help a lot with getting the default realm name, but
I'm afraid that the second point about problems with ctypes and SELinux
in httpd still holds.
Michael
More information about the Freeipa-devel
mailing list