Cache ldap ticket on first authenticationldapticketcache

This should improve performances on the IPA server as it will prevent
contacting the KDC on each reuqest to get a LDAP ticket.

Also restructure kerberos finialization and mover password login related
action to be executed only when a password login is actually performed.

Signed-off-by: Simo Sorce <simo@redhat.com>

1 files changed, 28 insertions, 16 deletions

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index f5c520f28..d392fa841 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -594,21 +594,16 @@ class KerberosSession(HTTP_Status):
         if headers is None:
             headers = []
 
-        # Connect back to ourselves to get mod_auth_gssapi to
-        # generate a cookie for us.
-        try:
-            target = self.api.env.host
-            r = requests.get('http://{0}/ipa/session/cookie'.format(target),
-                             auth=NegotiateAuth(target, ccache_name))
-            session_cookie = r.cookies.get("ipa_session")
-            if not session_cookie:
-                raise ValueError('No session cookie found')
-        except Exception as e:
-            return self.unauthorized(environ, start_response,
-                                     str(e),
-                                     'Authentication failed')
-
-        headers.append(('IPASESSION', session_cookie))
+        # Obtain a ticket for the LDAP server so that we can cache it.
+        # To do this we start a gssapi context establishment, but never
+        # complete it and just go and save the creds.
+        service_name = gssapi.Name('ldap@%s' % (self.api.env.host,),
+                                   gssapi.NameType.hostbased_service)
+        store = {'ccache': ccache_name}
+        creds = gssapi.Credentials(store=store, usage='initiate')
+        ctx = gssapi.SecurityContext(name=service_name, creds=creds)
+        ctx.step()
+        creds.store(store=store, usage='initiate', overwrite='True')
 
         start_response(HTTP_STATUS_SUCCESS, headers)
         return ['']
@@ -934,9 +929,26 @@ class login_password(Backend, KerberosSession):
                                      str(e),
                                      'user-locked')
 
+        # Connect back to ourselves to get mod_auth_gssapi to
+        # generate a cookie for us.
+        try:
+            target = self.api.env.host
+            r = requests.get('http://{0}/ipa/session/cookie'.format(target),
+                             auth=NegotiateAuth(target, ipa_ccache_name))
+            session_cookie = r.cookies.get("ipa_session")
+            if not session_cookie:
+                raise ValueError('No session cookie found')
+        except Exception as e:
+            return self.unauthorized(environ, start_response,
+                                     str(e),
+                                     'Authentication failed')
+
+        headers = [('IPASESSION', session_cookie)]
+
         result = self.finalize_kerberos_acquisition('login_password',
                                                     ipa_ccache_name, environ,
-                                                    start_response)
+                                                    start_response,
+                                                    headers=headers)
         try:
             # Try not to litter the filesystem with unused TGTs
             os.unlink(ipa_ccache_name)