From 1e37dbe2c41ff0339873cd2347cb90c39a59d8ed Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 5 Jun 2017 09:50:22 -0400 Subject: [PATCH] Add code to be able to set default kinit lifetime This is done by setting the kinit_lifetime option in default.conf to a value that can be passed in with the -l option syntax of kinit. https://pagure.io/freeipa/issue/7001 Signed-off-by: Simo Sorce Reviewed-By: Pavel Vomacka Reviewed-By: Alexander Bokovoy --- ipalib/constants.py | 1 + ipalib/install/kinit.py | 5 ++++- ipaserver/rpcserver.py | 3 ++- pylint_plugins.py | 1 + 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index f8a194c1f559db9aeffef058578d700cde41fd0b..5adff97fbd6ad8ab4cfa5322481be2d9056f925a 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -153,6 +153,7 @@ DEFAULT_CONFIG = ( ('session_auth_duration', '20 minutes'), # How a session expiration is computed, see SessionManager.set_session_expiration_time() ('session_duration_type', 'inactivity_timeout'), + ('kinit_lifetime', None), # Debugging: ('verbose', 0), diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py index 73471f103eabfe39580c8fbd0665157f635fa5c5..91ea5132aa1cb1e192af46b4896d55670e375f7a 100644 --- a/ipalib/install/kinit.py +++ b/ipalib/install/kinit.py @@ -63,7 +63,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): def kinit_password(principal, password, ccache_name, config=None, armor_ccache_name=None, canonicalize=False, - enterprise=False): + enterprise=False, lifetime=None): """ perform interactive kinit as principal using password. If using FAST for web-based authentication, use armor_ccache_path to specify http service @@ -76,6 +76,9 @@ def kinit_password(principal, password, ccache_name, config=None, % armor_ccache_name) args.extend(['-T', armor_ccache_name]) + if lifetime: + args.extend(['-l', lifetime]) + if canonicalize: root_logger.debug("Requesting principal canonicalization") args.append('-C') diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 32f286148bbdf294f941116b4bdca85714a52837..2990df25985eab63d4bcfc8edf7f2b12da3e9832 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -969,7 +969,8 @@ class login_password(Backend, KerberosSession): password, ccache_name, armor_ccache_name=armor_path, - enterprise=True) + enterprise=True, + lifetime=self.api.env.kinit_lifetime) if armor_path: self.debug('Cleanup the armor ccache') diff --git a/pylint_plugins.py b/pylint_plugins.py index db80efeba8824eb221d988bb494400da173675a9..550f269b308b6c5b21cb13404040aa0934381f0e 100644 --- a/pylint_plugins.py +++ b/pylint_plugins.py @@ -67,6 +67,7 @@ fake_api_env = {'env': [ 'realm', 'session_auth_duration', 'session_duration_type', + 'kinit_lifetime', ]} # this is due ipaserver.rpcserver.KerberosSession where api is undefined -- 2.9.4