[Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi

Michael Šimáček msimacek at redhat.com
Fri Jul 31 14:41:43 UTC 2015 

On 2015-07-31 07:52, Jan Cholasta wrote:
> Hi Michael,
>
> Dne 29.7.2015 v 10:09 Michael Šimáček napsal(a):
>> Hi,
>>
>> this is the first attempt to port FreeIPA from deprecated
>> python3-incompatible python-krbV library to python-gssapi. The patch
>> depends on python-kerberos->python-gssapi patch [1] to apply cleanly,
>> but the overlap is small, so I think it can be at least partially
>> reviewed without it.
>>
>> Comments:
>> I removed Backend.krb and KRB5_CCache classes as they were wrappers
>> around krbV classes. I added few utility functions to krb_utils module
>> that perform part of its functionality (no need for classes, because
>> gssapi acquire calls don't pass any context objects, they wouldn't have
>> any state).
>>
>> I merged the two different kinit_keytab functions.
>>
>> GSSAPI doesn't provide any method (that I'm aware of) to get default
>> ccache name. In most cases this is not needed as we can simply not pass
>> any name and it will use the default. The ldap plugin had to be adjusted
>> for this - the connect method now takes new use_gssapi argument, which
>> can turn on gssapi support without the need to supply explicit ccache
>> name. The only place where the ccache name is really needed is the test
>> server, where I use system klist command to obtain it.
>
> I would prefer if the semantics were the same as in IPAdmin, i.e. GSSAPI
> is used by default if bind password is not specified, see
> IPAdmin.do_bind() in ipapython.ipaldap.

Just to clarify, the current flow in ldap module is:
if ccache: # I added "or use_gssapi" here in this patch
     gssapi_bind
elif autobind:
     external_bind
else:
     simple_bind

and you would like it to be changed into:
if bind_pw:
     simple_bind
elif autobind:
     external_bind
else:
     gssapi_bind

Is that correct?

>
>>
>> It's also not possible to directly get default realm name, what I do is
>> importing nonexistent name, cannonicalizing it and extracting the realm
>> from it. Which should work but is ugly. It would be better if we could
>> modify the places that use it to not need it at all, but it's mostly
>> used in ldap code and I don't understand that part of FreeIPA.
>> Alternative would be parsing /etc/krb.conf.
>
> You should use api.env.realm where possible. I think this should be most
> of the places where default realm is currently used, if not all of them.

That would be great if all the usages could be replaced. How can I 
determine where api.env.realm can be used? In particular, I'm unsure 
about ipapython/config.py/__discover_config and ipaserver/plugins/join.py.

>
>>
>> Sorry for long patch, but I'm afraid it cannot be reasonably split.
>>
>>
>> Ticket:
>> https://fedorahosted.org/freeipa/ticket/5164
>>
>> [1] https://fedorahosted.org/freeipa/ticket/5147
>
> Honza
>

Michael

More information about the Freeipa-devel mailing list