diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2015-03-16 16:43:10 +0100 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-04-20 08:27:35 +0000 |
commit | 3d2feac0e416c66ba37eee53ef5b3833c2c3e414 (patch) | |
tree | 77d8907c8dbba8db76db3cac3b9be09ffc970f01 /ipaserver | |
parent | a8e30e96716992e4160abdb7ac5995bb75e54eae (diff) | |
download | freeipa-3d2feac0e416c66ba37eee53ef5b3833c2c3e414.tar.gz freeipa-3d2feac0e416c66ba37eee53ef5b3833c2c3e414.tar.xz freeipa-3d2feac0e416c66ba37eee53ef5b3833c2c3e414.zip |
Adopted kinit_keytab and kinit_password for kerberos auth
Calls to ipautil.run using kinit were replaced with calls
kinit_keytab/kinit_password functions implemented in the PATCH 0015.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/rpcserver.py | 48 |
1 files changed, 22 insertions, 26 deletions
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 4173ed918..2f771a0d1 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -30,6 +30,7 @@ import datetime import urlparse import json import traceback +from krbV import Krb5Error import ldap.controls from pyasn1.type import univ, namedtype @@ -958,8 +959,8 @@ class login_password(Backend, KerberosSession, HTTP_Status): def kinit(self, user, realm, password, ccache_name): # get http service ccache as an armor for FAST to enable OTP authentication - armor_principal = krb5_format_service_principal_name( - 'HTTP', self.api.env.host, realm) + armor_principal = str(krb5_format_service_principal_name( + 'HTTP', self.api.env.host, realm)) keytab = paths.IPA_KEYTAB armor_name = "%sA_%s" % (krbccache_prefix, user) armor_path = os.path.join(krbccache_dir, armor_name) @@ -967,34 +968,29 @@ class login_password(Backend, KerberosSession, HTTP_Status): self.debug('Obtaining armor ccache: principal=%s keytab=%s ccache=%s', armor_principal, keytab, armor_path) - (stdout, stderr, returncode) = ipautil.run( - [paths.KINIT, '-kt', keytab, armor_principal], - env={'KRB5CCNAME': armor_path}, raiseonerr=False) - - if returncode != 0: - raise CCacheError() + try: + ipautil.kinit_keytab(armor_principal, paths.IPA_KEYTAB, armor_path) + except Krb5Error as e: + raise CCacheError(str(e)) # Format the user as a kerberos principal principal = krb5_format_principal_name(user, realm) - (stdout, stderr, returncode) = ipautil.run( - [paths.KINIT, principal, '-T', armor_path], - env={'KRB5CCNAME': ccache_name, 'LC_ALL': 'C'}, - stdin=password, raiseonerr=False) - - self.debug('kinit: principal=%s returncode=%s, stderr="%s"', - principal, returncode, stderr) - - self.debug('Cleanup the armor ccache') - ipautil.run( - [paths.KDESTROY, '-A', '-c', armor_path], - env={'KRB5CCNAME': armor_path}, - raiseonerr=False) - - if returncode != 0: - if stderr.strip() == 'kinit: Cannot read password while getting initial credentials': - raise PasswordExpired(principal=principal, message=unicode(stderr)) - raise InvalidSessionPassword(principal=principal, message=unicode(stderr)) + try: + ipautil.kinit_password(principal, password, ccache_name, + armor_ccache_name=armor_path) + + self.debug('Cleanup the armor ccache') + ipautil.run( + [paths.KDESTROY, '-A', '-c', armor_path], + env={'KRB5CCNAME': armor_path}, + raiseonerr=False) + except RuntimeError as e: + if ('kinit: Cannot read password while ' + 'getting initial credentials') in str(e): + raise PasswordExpired(principal=principal, message=unicode(e)) + raise InvalidSessionPassword(principal=principal, + message=unicode(e)) class change_password(Backend, HTTP_Status): |