mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
059a90702e
Previously sessions expired after session_auth_duration had elapsed commencing from the start of the session. We new support a "rolling" expiration where the expiration is advanced by session_auth_duration everytime the session is accessed, this is equivalent to a inactivity timeout. The expiration is still constrained by the credential expiration in all cases. The session expiration behavior is configurable based on the session_auth_duration_type. * Reduced the default session_auth_duration from 1 hour to 20 minutes. * Replaced the sesssion write_timestamp with the access_timestamp and update the access_timestamp whenever the session data is created, retrieved, or written. * Modify set_session_expiration_time to handle both an inactivity timeout and a fixed duration. * Introduce KerberosSession as a mixin class to share session duration functionality with all classes manipulating session data with Kerberos auth. This is both the non-RPC login class and the RPC classes. * Update make-lint to handle new classes. * Added session_auth_duration_type config item. * Updated default.conf.5 man page for new session_auth_duration_type item. * Removed these unused config items: mount_xmlserver, mount_jsonserver, webui_assets_dir https://fedorahosted.org/freeipa/ticket/2392
-
-
Code to be installed on any client that wants to be in an IPA domain. Mostly consists of a tool for Linux systems that will help configure the client so it will work properly in a kerberized environment. It also includes several ways to configure Firefox to do single sign-on. The two methods on the client side are: 1. globalsetup.sh. This modifies the global Firefox installation so that any profiles created will be pre-configured. 2. usersetup.sh. This will update a user's existing profile. The downside of #1 is that an rpm -V will return a failure. It will also need to be run with every update of Firefox. One a profile contains the proper preferences it will be unaffected by upgrades to Firefox. The downside of #2 is that every user would need to run this each time they create a new profile. There is a third, server-side method. See ipa-server/README for details.