mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Don't set delegation flag in client, we're using S4U2Proxy now
A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246
This commit is contained in:
Rob Crittenden
committed by
Martin Kosek
Martin Kosek
parent
95b1848f19
commit
2da6d6e746
@@ -93,17 +93,13 @@ Requires(pre): 389-ds-base >= 1.2.10-0.5.a5
|
|||||||
Requires: openldap-clients
|
Requires: openldap-clients
|
||||||
Requires: nss
|
Requires: nss
|
||||||
Requires: nss-tools
|
Requires: nss-tools
|
||||||
%if 0%{?fedora} >= 16
|
Requires: krb5-server >= 1.9.2-6
|
||||||
Requires: krb5-server >= 1.9.1-15
|
|
||||||
%else
|
|
||||||
Requires: krb5-server
|
|
||||||
%endif
|
|
||||||
Requires: krb5-pkinit-openssl
|
Requires: krb5-pkinit-openssl
|
||||||
Requires: cyrus-sasl-gssapi%{?_isa}
|
Requires: cyrus-sasl-gssapi%{?_isa}
|
||||||
Requires: ntp
|
Requires: ntp
|
||||||
Requires: httpd
|
Requires: httpd
|
||||||
Requires: mod_wsgi
|
Requires: mod_wsgi
|
||||||
Requires: mod_auth_kerb >= 5.4-9
|
Requires: mod_auth_kerb >= 5.4-8
|
||||||
Requires: mod_nss >= 1.0.8-10
|
Requires: mod_nss >= 1.0.8-10
|
||||||
Requires: python-ldap
|
Requires: python-ldap
|
||||||
Requires: python-krbV
|
Requires: python-krbV
|
||||||
@@ -672,8 +668,11 @@ fi
|
|||||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
|
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jan 31 2012 Rob Crittenden <rcritten@redhat.com> - 2.99.0-15
|
||||||
|
- Set min for krb5-server to 1.9.2-6 to pick up needed s4u2proxy patches
|
||||||
|
|
||||||
* Wed Jan 11 2012 Rob Crittenden <rcritten@redhat.com> - 2.99.0-14
|
* Wed Jan 11 2012 Rob Crittenden <rcritten@redhat.com> - 2.99.0-14
|
||||||
- Set min for mod_auth_kerb to 5.4-9 to pick up s4u2proxy support
|
- Set min for mod_auth_kerb to 5.4-8 to pick up s4u2proxy support
|
||||||
|
|
||||||
* Fri Dec 9 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.99.0-13
|
* Fri Dec 9 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.99.0-13
|
||||||
- Fix dependency for samba4-devel package
|
- Fix dependency for samba4-devel package
|
||||||
|
|||||||
@@ -174,7 +174,7 @@ objectClass: groupOfPrincipals
|
|||||||
objectClass: top
|
objectClass: top
|
||||||
cn: ipa-http-delegation
|
cn: ipa-http-delegation
|
||||||
memberPrincipal: HTTP/$HOST@$REALM
|
memberPrincipal: HTTP/$HOST@$REALM
|
||||||
ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX
|
ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
|
||||||
|
|
||||||
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
|
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
|
||||||
changetype: add
|
changetype: add
|
||||||
|
|||||||
3
ipa.1
3
ipa.1
@@ -37,6 +37,9 @@ Load configuration from \fIFILE\fR.
|
|||||||
\fB\-d\fR, \fB\-\-debug\fR
|
\fB\-d\fR, \fB\-\-debug\fR
|
||||||
Produce full debugging output.
|
Produce full debugging output.
|
||||||
.TP
|
.TP
|
||||||
|
\fB\-\-\-delegate\fR
|
||||||
|
Delegate the user's TGT to the IPA server
|
||||||
|
.TP
|
||||||
\fB\-e\fR \fIKEY=VAL\fR
|
\fB\-e\fR \fIKEY=VAL\fR
|
||||||
Set environmental variable \fIKEY\fR to the value \fIVAL\fR. This option overrides configuration files.
|
Set environmental variable \fIKEY\fR to the value \fIVAL\fR. This option overrides configuration files.
|
||||||
.TP
|
.TP
|
||||||
|
|||||||
@@ -110,7 +110,7 @@ class Executioner(Backend):
|
|||||||
self.Backend.ldap2.connect(ccache=ccache)
|
self.Backend.ldap2.connect(ccache=ccache)
|
||||||
else:
|
else:
|
||||||
self.Backend.xmlclient.connect(verbose=(self.env.verbose >= 2),
|
self.Backend.xmlclient.connect(verbose=(self.env.verbose >= 2),
|
||||||
fallback=self.env.fallback)
|
fallback=self.env.fallback, delegate=self.env.delegate)
|
||||||
if client_ip is not None:
|
if client_ip is not None:
|
||||||
setattr(context, "client_ip", client_ip)
|
setattr(context, "client_ip", client_ip)
|
||||||
|
|
||||||
|
|||||||
@@ -139,6 +139,7 @@ DEFAULT_CONFIG = (
|
|||||||
('prompt_all', False),
|
('prompt_all', False),
|
||||||
('interactive', True),
|
('interactive', True),
|
||||||
('fallback', True),
|
('fallback', True),
|
||||||
|
('delegate', False),
|
||||||
|
|
||||||
# Enable certain optional plugins:
|
# Enable certain optional plugins:
|
||||||
('enable_ra', False),
|
('enable_ra', False),
|
||||||
|
|||||||
@@ -530,6 +530,9 @@ class API(DictProxy):
|
|||||||
parser.add_option('-d', '--debug', action='store_true',
|
parser.add_option('-d', '--debug', action='store_true',
|
||||||
help='Produce full debuging output',
|
help='Produce full debuging output',
|
||||||
)
|
)
|
||||||
|
parser.add_option('--delegate', action='store_true',
|
||||||
|
help='Delegate the TGT to the IPA server',
|
||||||
|
)
|
||||||
parser.add_option('-v', '--verbose', action='count',
|
parser.add_option('-v', '--verbose', action='count',
|
||||||
help='Produce more verbose output. A second -v displays the XML-RPC request',
|
help='Produce more verbose output. A second -v displays the XML-RPC request',
|
||||||
)
|
)
|
||||||
@@ -570,7 +573,7 @@ class API(DictProxy):
|
|||||||
pass
|
pass
|
||||||
overrides[str(key.strip())] = value.strip()
|
overrides[str(key.strip())] = value.strip()
|
||||||
for key in ('conf', 'debug', 'verbose', 'prompt_all', 'interactive',
|
for key in ('conf', 'debug', 'verbose', 'prompt_all', 'interactive',
|
||||||
'fallback'):
|
'fallback', 'delegate'):
|
||||||
value = getattr(options, key, None)
|
value = getattr(options, key, None)
|
||||||
if value is not None:
|
if value is not None:
|
||||||
overrides[key] = value
|
overrides[key] = value
|
||||||
|
|||||||
@@ -232,6 +232,7 @@ class KerbTransport(SSLTransport):
|
|||||||
"""
|
"""
|
||||||
Handles Kerberos Negotiation authentication to an XML-RPC server.
|
Handles Kerberos Negotiation authentication to an XML-RPC server.
|
||||||
"""
|
"""
|
||||||
|
flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG
|
||||||
|
|
||||||
def _handle_exception(self, e, service=None):
|
def _handle_exception(self, e, service=None):
|
||||||
(major, minor) = ipautil.get_gsserror(e)
|
(major, minor) = ipautil.get_gsserror(e)
|
||||||
@@ -257,10 +258,7 @@ class KerbTransport(SSLTransport):
|
|||||||
service = "HTTP@" + host.split(':')[0]
|
service = "HTTP@" + host.split(':')[0]
|
||||||
|
|
||||||
try:
|
try:
|
||||||
(rc, vc) = kerberos.authGSSClientInit(service,
|
(rc, vc) = kerberos.authGSSClientInit(service, self.flags)
|
||||||
kerberos.GSS_C_DELEG_FLAG |
|
|
||||||
kerberos.GSS_C_MUTUAL_FLAG |
|
|
||||||
kerberos.GSS_C_SEQUENCE_FLAG)
|
|
||||||
except kerberos.GSSError, e:
|
except kerberos.GSSError, e:
|
||||||
self._handle_exception(e)
|
self._handle_exception(e)
|
||||||
|
|
||||||
@@ -284,6 +282,14 @@ class KerbTransport(SSLTransport):
|
|||||||
return (host, extra_headers, x509)
|
return (host, extra_headers, x509)
|
||||||
|
|
||||||
|
|
||||||
|
class DelegatedKerbTransport(KerbTransport):
|
||||||
|
"""
|
||||||
|
Handles Kerberos Negotiation authentication and TGT delegation to an
|
||||||
|
XML-RPC server.
|
||||||
|
"""
|
||||||
|
flags = kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | \
|
||||||
|
kerberos.GSS_C_SEQUENCE_FLAG
|
||||||
|
|
||||||
class xmlclient(Connectible):
|
class xmlclient(Connectible):
|
||||||
"""
|
"""
|
||||||
Forwarding backend plugin for XML-RPC client.
|
Forwarding backend plugin for XML-RPC client.
|
||||||
@@ -303,7 +309,7 @@ class xmlclient(Connectible):
|
|||||||
"""
|
"""
|
||||||
if not hasattr(self.conn, '_ServerProxy__transport'):
|
if not hasattr(self.conn, '_ServerProxy__transport'):
|
||||||
return None
|
return None
|
||||||
if isinstance(self.conn._ServerProxy__transport, KerbTransport):
|
if type(self.conn._ServerProxy__transport) in (KerbTransport, DelegatedKerbTransport):
|
||||||
scheme = "https"
|
scheme = "https"
|
||||||
else:
|
else:
|
||||||
scheme = "http"
|
scheme = "http"
|
||||||
@@ -337,13 +343,17 @@ class xmlclient(Connectible):
|
|||||||
|
|
||||||
return servers
|
return servers
|
||||||
|
|
||||||
def create_connection(self, ccache=None, verbose=False, fallback=True):
|
def create_connection(self, ccache=None, verbose=False, fallback=True,
|
||||||
|
delegate=False):
|
||||||
servers = self.get_url_list()
|
servers = self.get_url_list()
|
||||||
serverproxy = None
|
serverproxy = None
|
||||||
for server in servers:
|
for server in servers:
|
||||||
kw = dict(allow_none=True, encoding='UTF-8')
|
kw = dict(allow_none=True, encoding='UTF-8')
|
||||||
kw['verbose'] = verbose
|
kw['verbose'] = verbose
|
||||||
if server.startswith('https://'):
|
if server.startswith('https://'):
|
||||||
|
if delegate:
|
||||||
|
kw['transport'] = DelegatedKerbTransport()
|
||||||
|
else:
|
||||||
kw['transport'] = KerbTransport()
|
kw['transport'] = KerbTransport()
|
||||||
else:
|
else:
|
||||||
kw['transport'] = LanguageAwareTransport()
|
kw['transport'] = LanguageAwareTransport()
|
||||||
|
|||||||
Reference in New Issue
Block a user