Use ticket forwarding with TurboGears. mod_proxy forwards the principal

 name and location of the keytab. In order for this keytab to be usable
 TurboGears and Apache will need to run as the same user. We will also need
 to listen only on localhost in TG.

3 files changed, 24 insertions, 21 deletions

diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index 79dd04d6..7fc2327b 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -49,7 +49,7 @@ class IPAConnPool:
     def __init__(self):
         self.freelist = []
 
-    def getConn(self, host, port, bindca, bindcert, bindkey, proxydn=None, keytab=None):
+    def getConn(self, host, port, bindca, bindcert, bindkey, proxydn=None, krbccache=None):
         conn = None
         if len(self.freelist) > 0:
             for i in range(len(self.freelist)):
@@ -62,12 +62,12 @@ class IPAConnPool:
         if proxydn is not None:
             conn.set_proxydn(proxydn)
         else:
-            conn.set_keytab(keytab)
+            conn.set_krbccache(krbccache)
         return conn
 
     def releaseConn(self, conn):
         # We can't re-use SASL connections. If proxydn is None it means
-        # we have a keytab set. See ipaldap.set_keytab
+        # we have a Kerberos credentails cache set. See ipaldap.set_krbccache
         if conn.proxydn is None:
             conn.unbind_s()
         else:
@@ -91,13 +91,13 @@ class IPAServer:
         self.basedn = ipa.ipautil.realm_to_suffix(ipa.config.config.get_realm())
         self.scope = ldap.SCOPE_SUBTREE
         self.princ = None
-        self.keytab = None
+        self.krbccache = None
 
     def set_principal(self, princ):
         self.princ = princ
 
-    def set_keytab(self, keytab):
-        self.keytab = keytab
+    def set_krbccache(self, krbccache):
+        self.krbccache = krbccache
     
     def get_dn_from_principal(self, princ):
         """Given a kerberos principal get the LDAP uid"""
@@ -115,43 +115,45 @@ class IPAServer:
 
     def __setup_connection(self, opts):
         """Set up common things done in the connection.
-           If there is a keytab then return None as the proxy dn and the keytab
-           otherwise return the proxy dn and None as the keytab.
+           If there is a Kerberos credentials cache then return None as the
+           proxy dn and the ccache otherwise return the proxy dn and None as
+           the ccache.
 
            We only want one or the other used at one time and we prefer
-           the keytab. So if there is a keytab, return that and None for
-           proxy dn to make calling getConn() easier.
+           the Kerberos credentials cache. So if there is a ccache, return
+           that and None for proxy dn to make calling getConn() easier.
         """
 
         if opts:
-            if opts.get('keytab'):
-                self.set_keytab(opts['keytab'])
+            if opts.get('krbccache'):
+                self.set_krbccache(opts['krbccache'])
                 self.set_principal(None)
             else:
-                self.set_keytab(None)
+                self.set_krbccache(None)
                 self.set_principal(opts['remoteuser'])
         else:
-            self.set_keytab(None)
-            # The caller should have already set the principal
+            # The caller should have already set the principal or the
+            # krbccache. If not they'll get an authentication error later.
+            pass
 
         if self.princ is not None:
             return self.get_dn_from_principal(self.princ), None
         else:
-            return None, self.keytab
+            return None, self.krbccache
 
     def getConnection(self, opts):
         """Wrapper around IPAConnPool.getConn() so we don't have to pass
            around self.* every time a connection is needed.
 
-           For SASL connections (where we have a keytab) we can't set
+           For SASL connections (where we have a krbccache) we can't set
            the SSL variables for certificates. It confuses the ldap
            module.
         """
         global _LDAPPool
 
-        (proxy_dn, keytab) = self.__setup_connection(opts)
+        (proxy_dn, krbccache) = self.__setup_connection(opts)
 
-        if keytab is not None:
+        if krbccache is not None:
             bindca = None
             bindcert = None
             bindkey = None
@@ -162,7 +164,7 @@ class IPAServer:
             bindkey = self.bindkey
             port = self.sslport
 
-        return _LDAPPool.getConn(self.host,port,bindca,bindcert,bindkey,proxy_dn,keytab)
+        return _LDAPPool.getConn(self.host,port,bindca,bindcert,bindkey,proxy_dn,krbccache)
 
     def releaseConnection(self, conn):
         global _LDAPPool
diff --git a/ipa-server/xmlrpc-server/ipa.conf b/ipa-server/xmlrpc-server/ipa.conf
index 30a7655a..784f2617 100644
--- a/ipa-server/xmlrpc-server/ipa.conf
+++ b/ipa-server/xmlrpc-server/ipa.conf
@@ -27,6 +27,7 @@ ProxyRequests Off
   RewriteCond %{IS_SUBREQ}% false
   RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}]
   RequestHeader set X-Forwarded-User %{RU}e
+  RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e
 
   # RequestHeader unset Authorization
 </Proxy>
diff --git a/ipa-server/xmlrpc-server/ipaxmlrpc.py b/ipa-server/xmlrpc-server/ipaxmlrpc.py
index a4ae4e7c..861de8e5 100644
--- a/ipa-server/xmlrpc-server/ipaxmlrpc.py
+++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py
@@ -138,7 +138,7 @@ class ModXMLRPCRequestHandler(object):
         opts['remoteuser'] = req.user
 
         if req.subprocess_env.get("KRB5CCNAME") is not None:
-            opts['keytab'] = req.subprocess_env.get("KRB5CCNAME")
+            opts['krbccache'] = req.subprocess_env.get("KRB5CCNAME")
 
         # Tack onto the end of the passed-in arguments any options we also
         # need