[Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi
Michael Šimáček
msimacek at redhat.com
Wed Jul 29 08:09:46 UTC 2015
Hi,
this is the first attempt to port FreeIPA from deprecated
python3-incompatible python-krbV library to python-gssapi. The patch
depends on python-kerberos->python-gssapi patch [1] to apply cleanly,
but the overlap is small, so I think it can be at least partially
reviewed without it.
Comments:
I removed Backend.krb and KRB5_CCache classes as they were wrappers
around krbV classes. I added few utility functions to krb_utils module
that perform part of its functionality (no need for classes, because
gssapi acquire calls don't pass any context objects, they wouldn't have
any state).
I merged the two different kinit_keytab functions.
GSSAPI doesn't provide any method (that I'm aware of) to get default
ccache name. In most cases this is not needed as we can simply not pass
any name and it will use the default. The ldap plugin had to be adjusted
for this - the connect method now takes new use_gssapi argument, which
can turn on gssapi support without the need to supply explicit ccache
name. The only place where the ccache name is really needed is the test
server, where I use system klist command to obtain it.
It's also not possible to directly get default realm name, what I do is
importing nonexistent name, cannonicalizing it and extracting the realm
from it. Which should work but is ugly. It would be better if we could
modify the places that use it to not need it at all, but it's mostly
used in ldap code and I don't understand that part of FreeIPA.
Alternative would be parsing /etc/krb.conf.
Sorry for long patch, but I'm afraid it cannot be reasonably split.
Ticket:
https://fedorahosted.org/freeipa/ticket/5164
[1] https://fedorahosted.org/freeipa/ticket/5147
--
Michael Simacek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-msimacek-0002-2-Port-from-python-krbV-to-python-gssapi.patch
Type: text/x-patch
Size: 68875 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150729/48724041/attachment.bin>
More information about the Freeipa-devel
mailing list