diff options
| author | John Dennis <jdennis@redhat.com> | 2012-02-06 13:29:56 -0500 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2012-02-09 13:20:45 -0600 |
| commit | bba4ccb3a01125ebc9f074f624f106905bbb4fed (patch) | |
| tree | f4e2100ac7bba2077597f49e14b45ca49c5b91cb /ipa-client/man | |
| parent | d1e0c1b606fe2a8edce5965cee9ab023a5e27676 (diff) | |
| download | freeipa-bba4ccb3a01125ebc9f074f624f106905bbb4fed.tar.gz freeipa-bba4ccb3a01125ebc9f074f624f106905bbb4fed.tar.xz freeipa-bba4ccb3a01125ebc9f074f624f106905bbb4fed.zip | |
add session manager and cache krb auth
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:
* Add a session manager to support cookie based sessions which
stores session data in a memcached entry.
* Add ipalib/krb_utils.py which contains functions to parse ccache
names, format principals, format KRB timestamps, and a KRB_CCache
class which reads ccache entry and allows one to extract information
such as the principal, credentials, credential timestamps, etc.
* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
that all kerberos items are co-located.
* Modify javascript in ipa.js so that the IPA.command() RPC call
checks for authentication needed error response and if it receives
it sends a GET request to /ipa/login URL to refresh credentials.
* Add session_auth_duration config item to constants.py, used to
configure how long a session remains valid.
* Add parse_time_duration utility to ipalib/util.py. Used to parse the
session_auth_duration config item.
* Update the default.conf.5 man page to document session_auth_duration
config item (also added documentation for log_manager config items
which had been inadvertantly omitted from a previous commit).
* Add SessionError object to ipalib/errors.py
* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
/ipa/login
* Add SessionCCache class to session.py to manage temporary Kerberos
ccache file in effect for the duration of an RPC command.
* Adds a krblogin plugin used to implement the /ipa/login
handler. login handler sets the session expiration time, currently
60 minutes or the expiration of the TGT, whichever is shorter. It
also copies the ccache provied by mod_auth_kerb into the session
data. The json handler will later extract and validate the ccache
belonging to the session.
* Refactored the WSGI handlers so that json and xlmrpc could have
independent behavior, this also moves where create and destroy
context occurs, now done in the individual handler rather than the
parent class.
* The json handler now looks up the session data, validates the ccache
bound to the session, if it's expired replies with authenicated
needed error.
* Add documentation to session.py. Fully documents the entire process,
got questions, read the doc.
* Add exclusions to make-lint as needed.
Diffstat (limited to 'ipa-client/man')
| -rw-r--r-- | ipa-client/man/default.conf.5 | 49 |
1 files changed, 42 insertions, 7 deletions
diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5 index 938eb2c91..91b535ab8 100644 --- a/ipa-client/man/default.conf.5 +++ b/ipa-client/man/default.conf.5 @@ -49,11 +49,11 @@ Values should not be quoted, the quotes will not be stripped. .np # Wrong \- don't include quotes - verbose = "9" + verbose = "True" # Right \- Properly formatted options - verbose = 9 - verbose=9 + verbose = True + verbose=True .fi Options must appear in the section named [global]. There are no other sections defined or used currently. @@ -80,8 +80,43 @@ Specifies the hostname of the dogtag CA server. The default is the hostname of t .B context <context> Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli and server. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR. .TP +.B verbose <boolean> +When True provides more information. Specifically this sets the global log level to "info". +.TP .B debug <boolean> -If True then logging will be much more verbose. Default is False. +When True provides detailed information. Specifically this set the global log level to "debug". Default is False. +.TP +.B log_logger_XXX <comma separated list of regexps> +loggers matching regexp will be assigned XXX level. +.IP +Logger levels can be explicitly specified for specific loggers as +opposed to a global logging level. Specific loggers are indiciated +by a list of regular expressions bound to a level. If a logger's +name matches the regexp then it is assigned that level. This config item +must begin with "log_logger_level_" and then be +followed by a symbolic or numeric log level, for example: +.IP + log_logger_level_debug = ipalib\\.dn\\..* +.IP + log_logger_level_35 = ipalib\\.plugins\\.dogtag +.IP +The first line says any logger belonging to the ipalib.dn module +will have it's level configured to debug. +.IP +The second line say the ipa.plugins.dogtag logger will be +configured to level 35. +.IP +This config item is useful when you only want to see the log output from +one or more selected loggers. Turning on the global debug flag will produce +an enormous amount of output. This allows you to leave the global debug flag +off and selectively enable output from a specific logger. Typically loggers +are bound to classes and plugins. +.IP +Note: logger names are a dot ('.') separated list forming a path +in the logger tree. The dot character is also a regular +expression metacharacter (matches any character) therefore you +will usually need to escape the dot in the logger names by +preceeding it with a backslash. .TP .B domain <domain> The domain of the IPA server e.g. example.com. @@ -128,12 +163,12 @@ If the IPA server fails to start and this value is True the server will attempt .B validate_api <boolean> Used internally in the IPA source package to verify that the API has not changed. This is used to prevent regressions. If it is true then some errors are ignored so enough of the IPA framework can be loaded to verify all of the API, even if optional components are not installed. The default is False. .TP -.B verbose <integer> -Generates more output. The default is 0 which generates no additional output. On the client a setting of 1 will provide more information on the command and show the servers the client contacts. A setting of 2 or higher will display the XML\-RPC request. This value has no effect on the server. -.TP .B xmlrpc_uri <URI> Specifies the URI of the XML\-RPC server for a client. This is used by IPA and some external tools as well, such as ipa\-getcert. e.g. https://ipa.example.com/ipa/xml .TP +.B session_auth_duration <time duration spec> +Specifies the length of time authentication credentials cached in the session are valid. After the duration expires credentials will be automatically reacquired. Examples are "2 hours", "1h:30m", "10 minutes", "5min, 30sec". +.TP The following define the containers for the IPA server. Containers define where in the DIT that objects can be found. The full location is the value of container + basedn. container_accounts: cn=accounts container_applications: cn=applications,cn=configs,cn=policies |