mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
f94ccca676
Currently CustodiaClient assumes that the client is the host principal, and it is hard-coded to read the host keytab and server keys. For the Lightweight CAs feature, Dogtag on CA replicas will use CustodiaClient to retrieve signing keys from the originating replica. Because this process runs as 'pkiuser', the host keys cannot be used; instead, each Dogtag replica will have a service principal to use for Custodia authentication. Update CustodiaClient to require specifying the client keytab and Custodia keyfile to use, and change the client argument to be a full GSS service name (instead of hard-coding host service) to load from the keytab. Update call sites accordingly. Also pass the given 'ldap_uri' argument through to IPAKEMKeys because without it, the client tries to use LDAPI, but may not have access. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com> |
||
---|---|---|
.. | ||
dnssec | ||
install | ||
secrets | ||
__init__.py | ||
admintool.py | ||
certdb.py | ||
certmonger.py | ||
config.py | ||
cookie.py | ||
dn.py | ||
dnsutil.py | ||
dogtag.py | ||
errors.py | ||
graph.py | ||
ipa_log_manager.py | ||
ipa.conf | ||
ipaldap.py | ||
ipautil.py | ||
ipavalidate.py | ||
kernel_keyring.py | ||
log_manager.py | ||
Makefile | ||
MANIFEST.in | ||
nsslib.py | ||
p11helper.py | ||
README | ||
setup.py.in | ||
ssh.py | ||
sysrestore.py | ||
version.py.in |
This is a set of libraries common to IPA clients and servers though mostly geared currently towards command-line tools. A brief overview: config.py - identify the IPA server domain and realm. It uses python-dns to try to detect this information first and will fall back to /etc/ipa/default.conf if that fails. ipautil.py - helper functions entity.py - entity is the main data type. User and Group extend this class (but don't add anything currently). ipavalidate.py - basic data validation routines