3 files changed, 24 insertions, 21 deletions

diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index 79dd04d67..7fc2327b3 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -49,7 +49,7 @@ class IPAConnPool:
     def __init__(self):
         self.freelist = []
 
-    def getConn(self, host, port, bindca, bindcert, bindkey, proxydn=None, keytab=None):
+    def getConn(self, host, port, bindca, bindcert, bindkey, proxydn=None, krbccache=None):
         conn = None
         if len(self.freelist) > 0:
             for i in range(len(self.freelist)):
@@ -62,12 +62,12 @@ class IPAConnPool:
         if proxydn is not None:
             conn.set_proxydn(proxydn)
         else:
-            conn.set_keytab(keytab)
+            conn.set_krbccache(krbccache)
         return conn
 
     def releaseConn(self, conn):
         # We can't re-use SASL connections. If proxydn is None it means
-        # we have a keytab set. See ipaldap.set_keytab
+        # we have a Kerberos credentails cache set. See ipaldap.set_krbccache
         if conn.proxydn is None:
             conn.unbind_s()
         else:
@@ -91,13 +91,13 @@ class IPAServer:
         self.basedn = ipa.ipautil.realm_to_suffix(ipa.config.config.get_realm())
         self.scope = ldap.SCOPE_SUBTREE
         self.princ = None
-        self.keytab = None
+        self.krbccache = None
 
     def set_principal(self, princ):
         self.princ = princ
 
-    def set_keytab(self, keytab):
-        self.keytab = keytab
+    def set_krbccache(self, krbccache):
+        self.krbccache = krbccache
     
     def get_dn_from_principal(self, princ):
         """Given a kerberos principal get the LDAP uid"""
@@ -115,43 +115,45 @@ class IPAServer:
 
     def __setup_connection(self, opts):
         """Set up common things done in the connection.
-           If there is a keytab then return None as the proxy dn and the keytab
-           otherwise return the proxy dn and None as the keytab.
+           If there is a Kerberos credentials cache then return None as the
+           proxy dn and the ccache otherwise return the proxy dn and None as
+           the ccache.
 
            We only want one or the other used at one time and we prefer
-           the keytab. So if there is a keytab, return that and None for
-           proxy dn to make calling getConn() easier.
+           the Kerberos credentials cache. So if there is a ccache, return
+           that and None for proxy dn to make calling getConn() easier.
         """
 
         if opts:
-            if opts.get('keytab'):
-                self.set_keytab(opts['keytab'])
+            if opts.get('krbccache'):
+                self.set_krbccache(opts['krbccache'])
                 self.set_principal(None)
             else:
-                self.set_keytab(None)
+                self.set_krbccache(None)
                 self.set_principal(opts['remoteuser'])
         else:
-            self.set_keytab(None)
-            # The caller should have already set the principal
+            # The caller should have already set the principal or the
+            # krbccache. If not they'll get an authentication error later.
+            pass
 
         if self.princ is not None:
             return self.get_dn_from_principal(self.princ), None
         else:
-            return None, self.keytab
+            return None, self.krbccache
 
     def getConnection(self, opts):
         """Wrapper around IPAConnPool.getConn() so we don't have to pass
            around self.* every time a connection is needed.
 
-           For SASL connections (where we have a keytab) we can't set
+           For SASL connections (where we have a krbccache) we can't set
            the SSL variables for certificates. It confuses the ldap
            module.
         """
         global _LDAPPool
 
-        (proxy_dn, keytab) = self.__setup_connection(opts)
+        (proxy_dn, krbccache) = self.__setup_connection(opts)
 
-        if keytab is not None:
+        if krbccache is not None:
             bindca = None
             bindcert = None
             bindkey = None
@@ -162,7 +164,7 @@ class IPAServer:
             bindkey = self.bindkey
             port = self.sslport
 
-        return _LDAPPool.getConn(self.host,port,bindca,bindcert,bindkey,proxy_dn,keytab)
+        return _LDAPPool.getConn(self.host,port,bindca,bindcert,bindkey,proxy_dn,krbccache)
 
     def releaseConnection(self, conn):
         global _LDAPPool
diff --git a/ipa-server/xmlrpc-server/ipa.conf b/ipa-server/xmlrpc-server/ipa.conf
index 30a7655a6..784f26173 100644
--- a/ipa-server/xmlrpc-server/ipa.conf
+++ b/ipa-server/xmlrpc-server/ipa.conf
@@ -27,6 +27,7 @@ ProxyRequests Off
   RewriteCond %{IS_SUBREQ}% false
   RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}]
   RequestHeader set X-Forwarded-User %{RU}e
+  RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e
 
   # RequestHeader unset Authorization
 </Proxy>
diff --git a/ipa-server/xmlrpc-server/ipaxmlrpc.py b/ipa-server/xmlrpc-server/ipaxmlrpc.py
index a4ae4e7c0..861de8e5c 100644
--- a/ipa-server/xmlrpc-server/ipaxmlrpc.py
+++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py
@@ -138,7 +138,7 @@ class ModXMLRPCRequestHandler(object):
         opts['remoteuser'] = req.user
 
         if req.subprocess_env.get("KRB5CCNAME") is not None:
-            opts['keytab'] = req.subprocess_env.get("KRB5CCNAME")
+            opts['krbccache'] = req.subprocess_env.get("KRB5CCNAME")
 
         # Tack onto the end of the passed-in arguments any options we also
         # need