ipapython: Extend kinit_password to support principal canonicalization

In order to authenticate with a principal alias it is necessary to request canonicalization of the principal. This patch extends the kinit_password with this option. The option to indicate enterprise principal has been added as well. https://fedorahosted.org/freeipa/ticket/6142 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-07-25 13:20:54 +02:00 · 2016-07-25 13:20:54 +02:00 · 8e83b9715a
commit 8e83b9715a
parent ddb7a08084
1 changed files with 10 additions and 1 deletions
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@ -1328,7 +1328,8 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):


 def kinit_password(principal, password, ccache_name, config=None,
-                   armor_ccache_name=None):
+                   armor_ccache_name=None, canonicalize=False,
+                   enterprise=False):
    """
    perform interactive kinit as principal using password. If using FAST for
    web-based authentication, use armor_ccache_path to specify http service
@ -1341,6 +1342,14 @@ def kinit_password(principal, password, ccache_name, config=None,
                          % armor_ccache_name)
        args.extend(['-T', armor_ccache_name])

+    if canonicalize:
+        root_logger.debug("Requesting principal canonicalization")
+        args.append('-C')
+
+    if enterprise:
+        root_logger.debug("Using enterprise principal")
+        args.append('-E')
+
    env = {'LC_ALL': 'C'}
    if config is not None:
        env['KRB5_CONFIG'] = config