diff options
author | Simo Sorce <simo@redhat.com> | 2016-12-02 06:48:35 -0500 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-15 07:13:37 +0100 |
commit | b6741d81e187fc84177c12ef8ad900d3b5cda6a4 (patch) | |
tree | 32e5c708bb5f5c2d3552d34c881facc890ee4cf8 /ipaserver/plugins | |
parent | b109f5d850ce13585d4392ca48896dc069a746e5 (diff) | |
download | freeipa-b6741d81e187fc84177c12ef8ad900d3b5cda6a4.tar.gz freeipa-b6741d81e187fc84177c12ef8ad900d3b5cda6a4.tar.xz freeipa-b6741d81e187fc84177c12ef8ad900d3b5cda6a4.zip |
Use Anonymous user to obtain FAST armor ccache
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver/plugins')
-rw-r--r-- | ipaserver/plugins/pkinit.py | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ipaserver/plugins/pkinit.py b/ipaserver/plugins/pkinit.py index 0ad4b8571..b6b3f3882 100644 --- a/ipaserver/plugins/pkinit.py +++ b/ipaserver/plugins/pkinit.py @@ -22,6 +22,7 @@ from ipalib import Str from ipalib import Object, Command from ipalib import _ from ipalib.plugable import Registry +from ipalib.constants import ANON_USER from ipapython.dn import DN __doc__ = _(""" @@ -71,7 +72,7 @@ def valid_arg(ugettext, action): class pkinit_anonymous(Command): __doc__ = _('Enable or Disable Anonymous PKINIT.') - princ_name = 'WELLKNOWN/ANONYMOUS@%s' % api.env.realm + princ_name = '%s@%s' % (ANON_USER, api.env.realm) default_dn = DN(('krbprincipalname', princ_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn) takes_args = ( |