diff options
| author | John Dennis <jdennis@redhat.com> | 2012-02-25 13:39:19 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-02-27 05:57:43 -0500 |
| commit | ee780df13c99a5465cd6df965772260c297a5eb2 (patch) | |
| tree | 8f215388e7642ca590aa7d0c432f7591653843df /ipalib/errors.py | |
| parent | 059a90702e454b99490031bd37541304e65d35d2 (diff) | |
| download | freeipa-ee780df13c99a5465cd6df965772260c297a5eb2.tar.gz freeipa-ee780df13c99a5465cd6df965772260c297a5eb2.tar.xz freeipa-ee780df13c99a5465cd6df965772260c297a5eb2.zip | |
Implement password based session login
* Adjust URL's
- rename /ipa/login -> /ipa/session/login_kerberos
- add /ipa/session/login_password
* Adjust Kerberos protection on URL's in ipa.conf
* Bump VERSION in httpd ipa.conf to pick up session changes.
* Adjust login URL in ipa.js
* Add InvalidSessionPassword to errors.py
* Rename krblogin class to login_kerberos for consistency with
new login_password class
* Implement login_password.kinit() method which invokes
/usr/bin/kinit as a subprocess
* Add login_password class for WSGI dispatch, accepts POST
application/x-www-form-urlencoded user & password
parameters. We form the Kerberos principal from the server's
realm.
* Add function krb5_unparse_ccache()
* Refactor code to share common code
* Clean up use of ccache names, be consistent
* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
bind_ipa_ccache() now sets environment KRB5CCNAME variable.
release_ipa_ccache() now clears environment KRB5CCNAME variable.
* ccache names should now support any ccache storage scheme,
not just FILE based ccaches
* Add utilies to return HTTP status from wsgi handlers,
use constants for HTTP status code for consistency.
Use utilies for returning from wsgi handlers rather than
duplicated code.
* Add KerberosSession.finalize_kerberos_acquisition() method
so different login handlers can share common code.
* add Requires: krb5-workstation to server (server now calls kinit)
* Fix test_rpcserver.py to use new dispatch inside route() method
https://fedorahosted.org/freeipa/ticket/2095
Diffstat (limited to 'ipalib/errors.py')
| -rw-r--r-- | ipalib/errors.py | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/ipalib/errors.py b/ipalib/errors.py index bdc4a5e73..df4ab4167 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -612,6 +612,13 @@ class SessionError(AuthenticationError): format= _('Session error') +class InvalidSessionPassword(SessionError): + """ + **1201** Raised when we cannot obtain a TGT for a principal. + """ + errno = 1201 + format= _('Principal %(principal)s cannot be authenticated: %(message)s') + ############################################################################## # 2000 - 2999: Authorization errors class AuthorizationError(PublicError): |