Add code to be able to set default kinit lifetime

This is done by setting the kinit_lifetime option in default.conf to a value that can be passed in with the -l option syntax of kinit. https://pagure.io/freeipa/issue/7001 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-01-11 00:31:56 -06:00 · 2017-06-05 09:50:22 -04:00 · 2017-06-05 09:50:22 -04:00 · 77db574cca
commit 77db574cca
parent 117d6e9be0
4 changed files with 8 additions and 2 deletions
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@ -155,6 +155,7 @@ DEFAULT_CONFIG = (
    ('session_auth_duration', '20 minutes'),
    # How a session expiration is computed, see SessionManager.set_session_expiration_time()
    ('session_duration_type', 'inactivity_timeout'),
+    ('kinit_lifetime', None),

    # Debugging:
    ('verbose', 0),
--- a/ipalib/install/kinit.py
+++ b/ipalib/install/kinit.py
@ -63,7 +63,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):

 def kinit_password(principal, password, ccache_name, config=None,
                   armor_ccache_name=None, canonicalize=False,
-                   enterprise=False):
+                   enterprise=False, lifetime=None):
    """
    perform interactive kinit as principal using password. If using FAST for
    web-based authentication, use armor_ccache_path to specify http service
@ -76,6 +76,9 @@ def kinit_password(principal, password, ccache_name, config=None,
                          % armor_ccache_name)
        args.extend(['-T', armor_ccache_name])

+    if lifetime:
+        args.extend(['-l', lifetime])
+
    if canonicalize:
        root_logger.debug("Requesting principal canonicalization")
        args.append('-C')
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@ -969,7 +969,8 @@ class login_password(Backend, KerberosSession):
                password,
                ccache_name,
                armor_ccache_name=armor_path,
-                enterprise=True)
+                enterprise=True,
+                lifetime=self.api.env.kinit_lifetime)

            if armor_path:
                self.debug('Cleanup the armor ccache')
--- a/pylint_plugins.py
+++ b/pylint_plugins.py
@ -69,6 +69,7 @@ fake_api_env = {'env': [
    'realm',
    'session_auth_duration',
    'session_duration_type',
+    'kinit_lifetime',
 ]}

 # this is due ipaserver.rpcserver.KerberosSession where api is undefined