IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add code to be able to set default kinit lifetime

Browse Source 
This is done by setting the kinit_lifetime option in default.conf
to a value that can be passed in with the -l option syntax of kinit.

https://pagure.io/freeipa/issue/7001

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Simo Sorce
2017-06-05 09:50:22 -04:00
committed by Martin Basti
parent 117d6e9be0
commit 77db574cca
4 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ipalib/constants.py
View File

@@ -155,6 +155,7 @@ DEFAULT_CONFIG = (
('session_auth_duration', '20 minutes'), ('session_auth_duration', '20 minutes'),
# How a session expiration is computed, see SessionManager.set_session_expiration_time() # How a session expiration is computed, see SessionManager.set_session_expiration_time()
('session_duration_type', 'inactivity_timeout'), ('session_duration_type', 'inactivity_timeout'),
('kinit_lifetime', None),
# Debugging: # Debugging:
('verbose', 0), ('verbose', 0),

5
ipalib/install/kinit.py
View File

@@ -63,7 +63,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
def kinit_password(principal, password, ccache_name, config=None, def kinit_password(principal, password, ccache_name, config=None,
armor_ccache_name=None, canonicalize=False, armor_ccache_name=None, canonicalize=False,
enterprise=False): enterprise=False, lifetime=None):
""" """
perform interactive kinit as principal using password. If using FAST for perform interactive kinit as principal using password. If using FAST for
web-based authentication, use armor_ccache_path to specify http service web-based authentication, use armor_ccache_path to specify http service
@@ -76,6 +76,9 @@ def kinit_password(principal, password, ccache_name, config=None,
% armor_ccache_name) % armor_ccache_name)
args.extend(['-T', armor_ccache_name]) args.extend(['-T', armor_ccache_name])
if lifetime:
args.extend(['-l', lifetime])
if canonicalize: if canonicalize:
root_logger.debug("Requesting principal canonicalization") root_logger.debug("Requesting principal canonicalization")
args.append('-C') args.append('-C')

3
ipaserver/rpcserver.py
View File

@@ -969,7 +969,8 @@ class login_password(Backend, KerberosSession):
password, password,
ccache_name, ccache_name,
armor_ccache_name=armor_path, armor_ccache_name=armor_path,
enterprise=True) enterprise=True,
lifetime=self.api.env.kinit_lifetime)
if armor_path: if armor_path:
self.debug('Cleanup the armor ccache') self.debug('Cleanup the armor ccache')

1
pylint_plugins.py
View File

@@ -69,6 +69,7 @@ fake_api_env = {'env': [
'realm', 'realm',
'session_auth_duration', 'session_auth_duration',
'session_duration_type', 'session_duration_type',
'kinit_lifetime',
]} ]}
# this is due ipaserver.rpcserver.KerberosSession where api is undefined # this is due ipaserver.rpcserver.KerberosSession where api is undefined