[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 2b309c896728f188959c022635ff131347e2f266 Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6771 Signed-off-by: Simo Sorce --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From d2c6121af9b4b366d0ff954a59f9a4917c634fc8 Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6656 Signed-off-by: Simo Sorce --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 9a89d1d279403190b3273cba25204a9e4af564c5 Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6656 Signed-off-by: Simo Sorce --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 4c13d3360b28da66cf1fe54e7fb1c022f24e4c2e Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6656 Signed-off-by: Simo Sorce --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 513c118d741594bf6bab6302a4b24c23168c4c44 Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Signed-off-by: Simo Sorce --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 513c118d741594bf6bab6302a4b24c23168c4c44 Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH 1/3] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Signed-off-by: Simo Sorce --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER From 34553627ebd709dea371030b03607c9c167732b0 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 6 Mar 2017 14:19:30 -0500 Subject: [PATCH 2/3] Use GSS-SPNEGO if connecting locally GSS-SPNEGO allows us to negotiate a sasl bind with less roundrtrips therefore use it when possible. We only enable it for local connections for now because we only recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This change means a newer and an older version are not compatible. Restricting ourselves to the local host prevents issues with incomaptible services, and it is ok for us as we are only really lloking at speedups for the local shortlived connections performed by the framework. Most other clients have llonger lived connections, so peformance improvements there are not as important. Signed-off-by: Simo Sorce --- ipapython/ipaldap.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index 82d45b9..b158598 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -52,6 +52,7 @@ # Global variable to define SASL auth SASL_GSSAPI = ldap.sasl.sasl({}, 'GSSAPI') +SASL_GSS_SPNEGO = ldap.sasl.sasl({}, 'GSS-SPNEGO') _debug_log_ldap = False @@ -1112,7 +1113,10 @@ def gssapi_bind(self, server_controls=None, client_controls=None): Perform SASL bind operation using the SASL GSSAPI mechanism. """ with self.error_handler(): -auth_tokens = ldap.sasl.sasl({}, 'GSSAPI') +if self._protocol == 'ldapi': +auth_tokens = SASL_GSS_SPNEGO +else: +auth_tokens = SASL_GSSAPI self._flush_schema() self.conn.sasl_interactive_bind_s( '', auth_tokens, server_controls, client_controls) From 4a9b4a7769e36890f95d87053388579928088dd3 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 6 Mar 2017 18:47:56 -0500 Subject: [PATCH 3/3] Store session cookie in a ccache option Instead of using the kernel keyring,s tore the session cookie within the ccache. This way kdestroy will really wipe away all creedntials. Ticket: https://pagure.io/freeipa/issue/6661 Signed-off-by: Simo Sorce --- ipalib/rpc.py | 30 ++ ipapython/ccache_storage.py | 234 2 files changed, 242 insertions(+), 22 deletions(-) create mode 100644 ipapython/ccache_storage.py diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 8d1bba5..be31333 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -56,7 +56,7 @@ from ipalib.request import context, Connection from ipapython.ipa_log_manager import root_logger from ipapython import ipautil -from ipapython import kernel_keyring +from ipapython import ccache_storage from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ @@ -84,19 +84,11 @@ unicode = str COOKIE_NAME = 'ipa_session' -KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME +CCACHE_COOKIE_KEY_NAME = 'X-IPA-Session-Cookie' errors_by_code = dict((e.errno, e) for e in public_errors) -def client_session_keyring_keyname(principal): -''' -Return the key name used for storing the client session data for -the given principal. -''' - -return KEYRING_COOKIE_NAME % principal - def update_persistent_client_session_data(principal, data): ''' Given a principal create or update the session data for that @@