diff options
| author | Petr Vobornik <pvoborni@redhat.com> | 2017-04-25 17:19:36 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2017-05-02 13:42:52 +0200 |
| commit | c19196a0d3fc0a38c4c83cb8a7fde56e6bc310af (patch) | |
| tree | d4572df882d4c0c4304c022a9295944e913627bd | |
| parent | e3f849d541e8d054b0932d8ec1bd4c836e53c6f0 (diff) | |
| download | freeipa-c19196a0d3fc0a38c4c83cb8a7fde56e6bc310af.tar.gz freeipa-c19196a0d3fc0a38c4c83cb8a7fde56e6bc310af.tar.xz freeipa-c19196a0d3fc0a38c4c83cb8a7fde56e6bc310af.zip | |
kerberos session: use CA cert with full cert chain for obtaining cookie
Http request performed in finalize_kerberos_acquisition doesn't use
CA certificate/certificate store with full certificate chain of IPA server.
So it might happen that in case that IPA is installed with externally signed
CA certificate, the call can fail because of certificate validation
and e.g. prevent session acquisition.
If it will fail for sure is not known - the use case was not discovered,
but it is faster and safer to fix preemptively.
https://pagure.io/freeipa/issue/6876
Reviewed-By: Martin Basti <mbasti@redhat.com>
| -rw-r--r-- | ipaserver/rpcserver.py | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 161872450..996a3d298 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -602,7 +602,8 @@ class KerberosSession(HTTP_Status): try: target = self.api.env.host r = requests.get('http://{0}/ipa/session/cookie'.format(target), - auth=NegotiateAuth(target, ccache_name)) + auth=NegotiateAuth(target, ccache_name), + verify=paths.IPA_CA_CRT) session_cookie = r.cookies.get("ipa_session") if not session_cookie: raise ValueError('No session cookie found') |