|
 |
ac7d03 |
From 1e37dbe2c41ff0339873cd2347cb90c39a59d8ed Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Simo Sorce <simo@redhat.com>
|
|
|
ac7d03 |
Date: Mon, 5 Jun 2017 09:50:22 -0400
|
|
|
ac7d03 |
Subject: [PATCH] Add code to be able to set default kinit lifetime
|
|
|
ac7d03 |
|
|
|
ac7d03 |
This is done by setting the kinit_lifetime option in default.conf
|
|
|
ac7d03 |
to a value that can be passed in with the -l option syntax of kinit.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
https://pagure.io/freeipa/issue/7001
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
ac7d03 |
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
|
|
|
ac7d03 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
ipalib/constants.py | 1 +
|
|
|
ac7d03 |
ipalib/install/kinit.py | 5 ++++-
|
|
|
ac7d03 |
ipaserver/rpcserver.py | 3 ++-
|
|
|
ac7d03 |
pylint_plugins.py | 1 +
|
|
|
ac7d03 |
4 files changed, 8 insertions(+), 2 deletions(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipalib/constants.py b/ipalib/constants.py
|
|
|
ac7d03 |
index f8a194c1f559db9aeffef058578d700cde41fd0b..5adff97fbd6ad8ab4cfa5322481be2d9056f925a 100644
|
|
|
ac7d03 |
--- a/ipalib/constants.py
|
|
|
ac7d03 |
+++ b/ipalib/constants.py
|
|
|
ac7d03 |
@@ -153,6 +153,7 @@ DEFAULT_CONFIG = (
|
|
|
ac7d03 |
('session_auth_duration', '20 minutes'),
|
|
|
ac7d03 |
# How a session expiration is computed, see SessionManager.set_session_expiration_time()
|
|
|
ac7d03 |
('session_duration_type', 'inactivity_timeout'),
|
|
|
ac7d03 |
+ ('kinit_lifetime', None),
|
|
|
ac7d03 |
|
|
|
ac7d03 |
# Debugging:
|
|
|
ac7d03 |
('verbose', 0),
|
|
|
ac7d03 |
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
|
|
|
ac7d03 |
index 73471f103eabfe39580c8fbd0665157f635fa5c5..91ea5132aa1cb1e192af46b4896d55670e375f7a 100644
|
|
|
ac7d03 |
--- a/ipalib/install/kinit.py
|
|
|
ac7d03 |
+++ b/ipalib/install/kinit.py
|
|
|
ac7d03 |
@@ -63,7 +63,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
|
|
|
ac7d03 |
|
|
|
ac7d03 |
def kinit_password(principal, password, ccache_name, config=None,
|
|
|
ac7d03 |
armor_ccache_name=None, canonicalize=False,
|
|
|
ac7d03 |
- enterprise=False):
|
|
|
ac7d03 |
+ enterprise=False, lifetime=None):
|
|
|
ac7d03 |
"""
|
|
|
ac7d03 |
perform interactive kinit as principal using password. If using FAST for
|
|
|
ac7d03 |
web-based authentication, use armor_ccache_path to specify http service
|
|
|
ac7d03 |
@@ -76,6 +76,9 @@ def kinit_password(principal, password, ccache_name, config=None,
|
|
|
ac7d03 |
% armor_ccache_name)
|
|
|
ac7d03 |
args.extend(['-T', armor_ccache_name])
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+ if lifetime:
|
|
|
ac7d03 |
+ args.extend(['-l', lifetime])
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
if canonicalize:
|
|
|
ac7d03 |
root_logger.debug("Requesting principal canonicalization")
|
|
|
ac7d03 |
args.append('-C')
|
|
|
ac7d03 |
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
|
|
ac7d03 |
index 32f286148bbdf294f941116b4bdca85714a52837..2990df25985eab63d4bcfc8edf7f2b12da3e9832 100644
|
|
|
ac7d03 |
--- a/ipaserver/rpcserver.py
|
|
|
ac7d03 |
+++ b/ipaserver/rpcserver.py
|
|
|
ac7d03 |
@@ -969,7 +969,8 @@ class login_password(Backend, KerberosSession):
|
|
|
ac7d03 |
password,
|
|
|
ac7d03 |
ccache_name,
|
|
|
ac7d03 |
armor_ccache_name=armor_path,
|
|
|
ac7d03 |
- enterprise=True)
|
|
|
ac7d03 |
+ enterprise=True,
|
|
|
ac7d03 |
+ lifetime=self.api.env.kinit_lifetime)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
if armor_path:
|
|
|
ac7d03 |
self.debug('Cleanup the armor ccache')
|
|
|
ac7d03 |
diff --git a/pylint_plugins.py b/pylint_plugins.py
|
|
|
ac7d03 |
index db80efeba8824eb221d988bb494400da173675a9..550f269b308b6c5b21cb13404040aa0934381f0e 100644
|
|
|
ac7d03 |
--- a/pylint_plugins.py
|
|
|
ac7d03 |
+++ b/pylint_plugins.py
|
|
|
ac7d03 |
@@ -67,6 +67,7 @@ fake_api_env = {'env': [
|
|
|
ac7d03 |
'realm',
|
|
|
ac7d03 |
'session_auth_duration',
|
|
|
ac7d03 |
'session_duration_type',
|
|
|
ac7d03 |
+ 'kinit_lifetime',
|
|
|
ac7d03 |
]}
|
|
|
ac7d03 |
|
|
|
ac7d03 |
# this is due ipaserver.rpcserver.KerberosSession where api is undefined
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.9.4
|
|
|
ac7d03 |
|