freeipa/ipapython
Fraser Tweedale f94ccca676 Allow CustodiaClient to be used by arbitrary principals
Currently CustodiaClient assumes that the client is the host
principal, and it is hard-coded to read the host keytab and server
keys.

For the Lightweight CAs feature, Dogtag on CA replicas will use
CustodiaClient to retrieve signing keys from the originating
replica.  Because this process runs as 'pkiuser', the host keys
cannot be used; instead, each Dogtag replica will have a service
principal to use for Custodia authentication.

Update CustodiaClient to require specifying the client keytab and
Custodia keyfile to use, and change the client argument to be a full
GSS service name (instead of hard-coding host service) to load from
the keytab.  Update call sites accordingly.

Also pass the given 'ldap_uri' argument through to IPAKEMKeys
because without it, the client tries to use LDAPI, but may not have
access.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-08 10:16:28 +02:00
..
dnssec Cosmetic changes to the code 2016-02-24 09:21:30 +01:00
install Py3: do not use dict.iteritems() 2016-02-23 17:14:33 +01:00
secrets Allow CustodiaClient to be used by arbitrary principals 2016-06-08 10:16:28 +02:00
__init__.py Rename ipa-python directory to ipapython so it is a real python library 2009-02-09 14:35:15 -05:00
admintool.py admintool: Add error message with path to log on failure. 2015-10-15 13:32:13 +02:00
certdb.py certdb: never use the -r option of certutil 2016-03-16 09:35:44 +01:00
certmonger.py Move freeipa certmonger helpers to libexecdir. 2016-02-26 08:29:44 +01:00
config.py Fix: catch Exception instead of more specific exception types 2016-03-22 17:33:02 +01:00
cookie.py cookie parser: do not fail on cookie with empty value 2016-03-01 14:16:08 +01:00
dn.py ipapython.dn: Use rich comparisons 2015-10-07 10:27:20 +02:00
dnsutil.py DNS upgrade: change global forwarding policy in LDAP to "only" if private IPs are used 2016-05-30 20:14:32 +02:00
dogtag.py Remove workaround for CA running check 2016-01-21 14:09:44 +01:00
errors.py Replace StandardError with Exception 2015-09-30 10:51:36 +02:00
graph.py Use Python3-compatible dict method names 2015-09-01 11:42:01 +02:00
ipa_log_manager.py Use absolute imports 2015-08-12 18:17:23 +02:00
ipa.conf Rename ipa-python directory to ipapython so it is a real python library 2009-02-09 14:35:15 -05:00
ipaldap.py ipaldap: Convert dict items to list before iterating 2016-05-30 16:44:08 +02:00
ipautil.py Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil 2016-05-30 20:14:32 +02:00
ipavalidate.py Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
kernel_keyring.py ipautil.run, kernel_keyring: Encoding fixes for Python 3 2016-02-17 10:41:29 +01:00
log_manager.py pylint: remove bare except 2016-03-22 10:20:51 +01:00
Makefile ipapython: port p11helper C code to Python 2016-01-21 10:21:32 +01:00
MANIFEST.in Rename ipa-python directory to ipapython so it is a real python library 2009-02-09 14:35:15 -05:00
nsslib.py Pylint: remove unnecessary-semicolon 2016-03-22 10:20:51 +01:00
p11helper.py p11helper: Port to Python 3 2016-02-17 10:41:29 +01:00
README Replace DNS client based on acutil with python-dns 2012-05-24 13:55:56 +02:00
setup.py.in Remove unused imports 2015-12-23 07:59:22 +01:00
ssh.py Remove unused imports 2015-12-23 07:59:22 +01:00
sysrestore.py sysrestore: Iterate over a list of dict keys 2016-04-28 16:22:07 +02:00
version.py.in ipalib.version: Add VENDOR_VERSION 2014-05-27 12:08:54 +02:00

This is a set of libraries common to IPA clients and servers though mostly
geared currently towards command-line tools.

A brief overview:

config.py - identify the IPA server domain and realm. It uses python-dns to
            try to detect this information first and will fall back to
            /etc/ipa/default.conf if that fails.

ipautil.py - helper functions

entity.py - entity is the main data type. User and Group extend this class
            (but don't add anything currently).

ipavalidate.py - basic data validation routines