[Freeipa-devel] [PATCH] 531-541 OTP UI
Petr Vobornik
pvoborni at redhat.com
Thu Feb 6 13:11:30 UTC 2014
On 5.2.2014 18:54, Alexander Bokovoy wrote:
> On Wed, 05 Feb 2014, Nathaniel McCallum wrote:
>> On Tue, 2014-01-21 at 17:45 +0100, Petr Vobornik wrote:
>>> from ipaserver.dcerpc import DomainValidator
>>
>> Patch 541 is NACK because ipaserver.dcerpc only exists in
>> freeipa-server-trust-ad.
> I agree. Instead of modifying a highly specialized code in
> ipaserver.dcerpc, you can extend a general purpose kinit code in
> ipapython/ipautil.py or add a separate one there to handle FAST part.
>
I've implemented new version of patch 541 which doesn't use dcerpc
module (attached).
This new version might be incorrect as well. The new form based login
works as follows:
- calls kinit with HTTP keytab to get armor ccache
- calls kinit with user credantials and armor_ccache
- calls kdestroy to cleanup the armor_ccache
It was inspired by existing code in dcerpc.py and rpcserver.py.
The question is whether we should avoid calling sub-processes and rather
use krbV lib as in ipapython.ipautil.kinit_hostprincipal. Rob mentioned
that subprocess calls within Apache are quite expensive.
--
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0541-2-Support-OTP-in-form-based-auth.patch
Type: text/x-patch
Size: 3617 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140206/03d0ba57/attachment.bin>
More information about the Freeipa-devel
mailing list