diff options
| author | Milan KubĂk <mkubik@redhat.com> | 2016-07-25 13:20:54 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-07-29 09:04:42 +0200 |
| commit | 8e83b9715a04fab8d7864b6e02e1210df885119c (patch) | |
| tree | 7789b24dbee597755e19385809537dd972290a92 /ipapython | |
| parent | ddb7a08084d69a119abdd39a3c82113bb8586db6 (diff) | |
| download | freeipa-8e83b9715a04fab8d7864b6e02e1210df885119c.tar.gz freeipa-8e83b9715a04fab8d7864b6e02e1210df885119c.tar.xz freeipa-8e83b9715a04fab8d7864b6e02e1210df885119c.zip | |
ipapython: Extend kinit_password to support principal canonicalization
In order to authenticate with a principal alias it is necessary
to request canonicalization of the principal. This patch extends
the kinit_password with this option.
The option to indicate enterprise principal has been added as well.
https://fedorahosted.org/freeipa/ticket/6142
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ipapython')
| -rw-r--r-- | ipapython/ipautil.py | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 9964fba4f..17d92b06f 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -1328,7 +1328,8 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): def kinit_password(principal, password, ccache_name, config=None, - armor_ccache_name=None): + armor_ccache_name=None, canonicalize=False, + enterprise=False): """ perform interactive kinit as principal using password. If using FAST for web-based authentication, use armor_ccache_path to specify http service @@ -1341,6 +1342,14 @@ def kinit_password(principal, password, ccache_name, config=None, % armor_ccache_name) args.extend(['-T', armor_ccache_name]) + if canonicalize: + root_logger.debug("Requesting principal canonicalization") + args.append('-C') + + if enterprise: + root_logger.debug("Using enterprise principal") + args.append('-E') + env = {'LC_ALL': 'C'} if config is not None: env['KRB5_CONFIG'] = config |