diff options
author | Simo Sorce <simo@redhat.com> | 2016-12-01 11:37:20 -0500 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-15 07:13:37 +0100 |
commit | 38c66896de1769077cd5b057133606ec5eeaf62b (patch) | |
tree | 579031e3d54e8aec702abd60a39fbaff9f8f3209 /ipaserver/rpcserver.py | |
parent | c894ebefc5c4c4c7ea340d6ddc4cd3c081917e4a (diff) | |
download | freeipa-38c66896de1769077cd5b057133606ec5eeaf62b.tar.gz freeipa-38c66896de1769077cd5b057133606ec5eeaf62b.tar.xz freeipa-38c66896de1769077cd5b057133606ec5eeaf62b.zip |
Generate tmpfiles config at install time
We do not want to generate runtime directories just because the packages
are installed, but only if the server is actually setup and run. Also this
will be needed later because we will create a user at install time and some
tmpfiles will need to be owned by this user.
As we are changing this code also rationalize the directory structure and
move it from the http rundir to the ipa specific rundir.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver/rpcserver.py')
-rw-r--r-- | ipaserver/rpcserver.py | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 2b1e42bf6..34106ee86 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -53,9 +53,6 @@ from ipalib.rpc import (xml_dumps, xml_loads, from ipalib.util import normalize_name from ipapython.dn import DN from ipaserver.plugins.ldap2 import ldap2 -from ipaserver.session import ( - get_ipa_ccache_name, - krbccache_dir, krbccache_prefix) from ipalib.backend import Backend from ipalib.krb_utils import ( krb5_format_principal_name, @@ -913,7 +910,13 @@ class login_password(Backend, KerberosSession): return self.bad_request(environ, start_response, "no password specified") # Get the ccache we'll use and attempt to get credentials in it with user,password - ipa_ccache_name = get_ipa_ccache_name() + ipa_ccache_name = os.path.join(paths.IPA_CCACHES, + 'kinit_{}'.format(os.getpid())) + try: + # try to remove in case an old file was there + os.unlink(ipa_ccache_name) + except OSError: + pass try: self.kinit(user, self.api.env.realm, password, ipa_ccache_name) except PasswordExpired as e: @@ -931,15 +934,23 @@ class login_password(Backend, KerberosSession): str(e), 'user-locked') - return self.finalize_kerberos_acquisition('login_password', ipa_ccache_name, environ, start_response) + result = self.finalize_kerberos_acquisition('login_password', + ipa_ccache_name, environ, + start_response) + try: + # Try not to litter the filesystem with unused TGTs + os.unlink(ipa_ccache_name) + except OSError: + pass + return result def kinit(self, user, realm, password, ccache_name): # get http service ccache as an armor for FAST to enable OTP authentication armor_principal = str(krb5_format_service_principal_name( 'HTTP', self.api.env.host, realm)) keytab = paths.IPA_KEYTAB - armor_name = "%sA_%s" % (krbccache_prefix, user) - armor_path = os.path.join(krbccache_dir, armor_name) + armor_path = os.path.join(paths.IPA_CCACHES, + "armor_{}".format(os.getpid())) self.debug('Obtaining armor ccache: principal=%s keytab=%s ccache=%s', armor_principal, keytab, armor_path) |