IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

kerberos session: use CA cert with full cert chain for obtaining cookie

Browse Source 
Http request performed in finalize_kerberos_acquisition doesn't use
CA certificate/certificate store with full certificate chain of IPA server.
So it might happen that in case that IPA is installed with externally signed
CA certificate, the call can fail because of certificate validation
and e.g. prevent session acquisition.

If it will fail for sure is not known - the use case was not discovered,
but it is faster and safer to fix preemptively.

https://pagure.io/freeipa/issue/6876

Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Petr Vobornik 2017-04-25 17:19:36 +02:00 committed by Martin Basti
parent e3f849d541
commit c19196a0d3
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ipaserver/rpcserver.py
View File

@ -602,7 +602,8 @@ class KerberosSession(HTTP_Status):
try: try:
target = self.api.env.host target = self.api.env.host
r = requests.get('http://{0}/ipa/session/cookie'.format(target), r = requests.get('http://{0}/ipa/session/cookie'.format(target),
auth=NegotiateAuth(target, ccache_name)) auth=NegotiateAuth(target, ccache_name),
verify=paths.IPA_CA_CRT)
session_cookie = r.cookies.get("ipa_session") session_cookie = r.cookies.get("ipa_session")
if not session_cookie: if not session_cookie:
raise ValueError('No session cookie found') raise ValueError('No session cookie found')