diff options
| author | Martin Kosek <mkosek@redhat.com> | 2013-01-31 17:18:35 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-02-01 08:13:50 +0100 |
| commit | 893064f6132a9cbcfa35f6eca8964c69caad533e (patch) | |
| tree | 25a270b1bfe0e079911d58fc97d369729eba0bed /ipaserver/plugins/ldap2.py | |
| parent | 3ad8d7c1fb1e65de8d88c494ca75a8c5c283a472 (diff) | |
| download | freeipa-893064f6132a9cbcfa35f6eca8964c69caad533e.tar.gz freeipa-893064f6132a9cbcfa35f6eca8964c69caad533e.tar.xz freeipa-893064f6132a9cbcfa35f6eca8964c69caad533e.zip | |
Use fully qualified CCACHE names
Some parts of install scripts used only ccache name as returned by
krbV.CCache.name attribute. However, when this name is used again
to initialize krbV.CCache object or when it is used in KRB5CCNAME
environmental variable, it fails for new DIR type of CCACHE.
We should always use both CCACHE type and name when referring to
them to avoid these crashes. ldap2 backend was also updated to
accept directly krbV.CCache object which contains everything we need
to authenticate with ccache.
https://fedorahosted.org/freeipa/ticket/3381
Diffstat (limited to 'ipaserver/plugins/ldap2.py')
| -rw-r--r-- | ipaserver/plugins/ldap2.py | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 2dd3f4784..908a101eb 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -788,7 +788,7 @@ class ldap2(CrudBackend): Keyword arguments: ldapuri -- the LDAP server to connect to - ccache -- Kerberos V5 ccache name + ccache -- Kerberos V5 ccache object or name bind_dn -- dn used to bind to the server bind_pw -- password used to bind to the server debug_level -- LDAP debug level option @@ -826,10 +826,19 @@ class ldap2(CrudBackend): if maxssf < minssf: conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf) if ccache is not None: + if isinstance(ccache, krbV.CCache): + principal = ccache.principal().name + # Get a fully qualified CCACHE name (schema+name) + # As we do not use the krbV.CCache object later, + # we can safely overwrite it + ccache = "%(type)s:%(name)s" % dict(type=ccache.type, + name=ccache.name) + else: + principal = krbV.CCache(name=ccache, + context=krbV.default_context()).principal().name + os.environ['KRB5CCNAME'] = ccache conn.sasl_interactive_bind_s(None, SASL_AUTH) - principal = krbV.CCache(name=ccache, - context=krbV.default_context()).principal().name setattr(context, 'principal', principal) else: # no kerberos ccache, use simple bind or external sasl |