[Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi

Jan Cholasta jcholast at redhat.com
Fri Jul 31 05:52:04 UTC 2015 

Hi Michael,

Dne 29.7.2015 v 10:09 Michael Šimáček napsal(a):
> Hi,
>
> this is the first attempt to port FreeIPA from deprecated
> python3-incompatible python-krbV library to python-gssapi. The patch
> depends on python-kerberos->python-gssapi patch [1] to apply cleanly,
> but the overlap is small, so I think it can be at least partially
> reviewed without it.
>
> Comments:
> I removed Backend.krb and KRB5_CCache classes as they were wrappers
> around krbV classes. I added few utility functions to krb_utils module
> that perform part of its functionality (no need for classes, because
> gssapi acquire calls don't pass any context objects, they wouldn't have
> any state).
>
> I merged the two different kinit_keytab functions.
>
> GSSAPI doesn't provide any method (that I'm aware of) to get default
> ccache name. In most cases this is not needed as we can simply not pass
> any name and it will use the default. The ldap plugin had to be adjusted
> for this - the connect method now takes new use_gssapi argument, which
> can turn on gssapi support without the need to supply explicit ccache
> name. The only place where the ccache name is really needed is the test
> server, where I use system klist command to obtain it.

I would prefer if the semantics were the same as in IPAdmin, i.e. GSSAPI 
is used by default if bind password is not specified, see 
IPAdmin.do_bind() in ipapython.ipaldap.

>
> It's also not possible to directly get default realm name, what I do is
> importing nonexistent name, cannonicalizing it and extracting the realm
> from it. Which should work but is ugly. It would be better if we could
> modify the places that use it to not need it at all, but it's mostly
> used in ldap code and I don't understand that part of FreeIPA.
> Alternative would be parsing /etc/krb.conf.

You should use api.env.realm where possible. I think this should be most 
of the places where default realm is currently used, if not all of them.

>
> Sorry for long patch, but I'm afraid it cannot be reasonably split.
>
>
> Ticket:
> https://fedorahosted.org/freeipa/ticket/5164
>
> [1] https://fedorahosted.org/freeipa/ticket/5147

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list