subject:"\[Freeipa\-devel\] \[freeipa PR#543\]\[synchronized\] Add options to allow ticket caching"

[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching

2017-03-16 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/543
Author: simo5
 Title: #543: Add options to allow ticket caching
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/543/head:pr543
git checkout pr543
From 2b309c896728f188959c022635ff131347e2f266 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 13:46:44 -0500
Subject: [PATCH] Add options to allow ticket caching

This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).

Ticket: https://pagure.io/freeipa/issue/6771

Signed-off-by: Simo Sorce 
---
 install/share/gssproxy.conf.template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index fbb158a..9d11100 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,6 +4,7 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
+  allow_client_ccache_sync = true
   cred_usage = both
   euid = $HTTPD_USER
 
@@ -12,5 +13,6 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_constrained_delegation = true
+  allow_client_ccache_sync = true
   cred_usage = initiate
   euid = $IPAAPI_USER
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching

2017-03-16 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/543
Author: simo5
 Title: #543: Add options to allow ticket caching
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/543/head:pr543
git checkout pr543
From d2c6121af9b4b366d0ff954a59f9a4917c634fc8 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 13:46:44 -0500
Subject: [PATCH] Add options to allow ticket caching

This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).

Ticket: https://pagure.io/freeipa/issue/6656

Signed-off-by: Simo Sorce 
---
 install/share/gssproxy.conf.template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index fbb158a..9d11100 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,6 +4,7 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
+  allow_client_ccache_sync = true
   cred_usage = both
   euid = $HTTPD_USER
 
@@ -12,5 +13,6 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_constrained_delegation = true
+  allow_client_ccache_sync = true
   cred_usage = initiate
   euid = $IPAAPI_USER
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching

2017-03-15 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/543
Author: simo5
 Title: #543: Add options to allow ticket caching
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/543/head:pr543
git checkout pr543
From 9a89d1d279403190b3273cba25204a9e4af564c5 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 13:46:44 -0500
Subject: [PATCH] Add options to allow ticket caching

This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).

Ticket: https://pagure.io/freeipa/issue/6656

Signed-off-by: Simo Sorce 
---
 install/share/gssproxy.conf.template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index fbb158a..9d11100 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,6 +4,7 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
+  allow_client_ccache_sync = true
   cred_usage = both
   euid = $HTTPD_USER
 
@@ -12,5 +13,6 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_constrained_delegation = true
+  allow_client_ccache_sync = true
   cred_usage = initiate
   euid = $IPAAPI_USER
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching

2017-03-07 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/543
Author: simo5
 Title: #543: Add options to allow ticket caching
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/543/head:pr543
git checkout pr543
From 4c13d3360b28da66cf1fe54e7fb1c022f24e4c2e Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 13:46:44 -0500
Subject: [PATCH] Add options to allow ticket caching

This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).

Ticket: https://pagure.io/freeipa/issue/6656

Signed-off-by: Simo Sorce 
---
 install/share/gssproxy.conf.template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index fbb158a..9d11100 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,6 +4,7 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
+  allow_client_ccache_sync = true
   cred_usage = both
   euid = $HTTPD_USER
 
@@ -12,5 +13,6 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_constrained_delegation = true
+  allow_client_ccache_sync = true
   cred_usage = initiate
   euid = $IPAAPI_USER
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching

2017-03-06 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/543
Author: simo5
 Title: #543: Add options to allow ticket caching
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/543/head:pr543
git checkout pr543
From 513c118d741594bf6bab6302a4b24c23168c4c44 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 13:46:44 -0500
Subject: [PATCH] Add options to allow ticket caching

This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).

Signed-off-by: Simo Sorce 
---
 install/share/gssproxy.conf.template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index fbb158a..9d11100 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,6 +4,7 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
+  allow_client_ccache_sync = true
   cred_usage = both
   euid = $HTTPD_USER
 
@@ -12,5 +13,6 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_constrained_delegation = true
+  allow_client_ccache_sync = true
   cred_usage = initiate
   euid = $IPAAPI_USER
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching

2017-03-06 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/543
Author: simo5
 Title: #543: Add options to allow ticket caching
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/543/head:pr543
git checkout pr543
From 513c118d741594bf6bab6302a4b24c23168c4c44 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 13:46:44 -0500
Subject: [PATCH 1/3] Add options to allow ticket caching

This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).

Signed-off-by: Simo Sorce 
---
 install/share/gssproxy.conf.template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index fbb158a..9d11100 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,6 +4,7 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
+  allow_client_ccache_sync = true
   cred_usage = both
   euid = $HTTPD_USER
 
@@ -12,5 +13,6 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_constrained_delegation = true
+  allow_client_ccache_sync = true
   cred_usage = initiate
   euid = $IPAAPI_USER

From 34553627ebd709dea371030b03607c9c167732b0 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 14:19:30 -0500
Subject: [PATCH 2/3] Use GSS-SPNEGO if connecting locally

GSS-SPNEGO allows us to negotiate a sasl bind with less roundrtrips
therefore use it when possible.

We only enable it for local connections for now because we only
recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This
change means a newer and an older version are not compatible.

Restricting ourselves to the local host prevents issues with
incomaptible services, and it is ok for us as we are only really lloking
at speedups for the local shortlived connections performed by the
framework. Most other clients have llonger lived connections, so
peformance improvements there are not as important.

Signed-off-by: Simo Sorce 
---
 ipapython/ipaldap.py | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 82d45b9..b158598 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -52,6 +52,7 @@
 
 # Global variable to define SASL auth
 SASL_GSSAPI = ldap.sasl.sasl({}, 'GSSAPI')
+SASL_GSS_SPNEGO = ldap.sasl.sasl({}, 'GSS-SPNEGO')
 
 _debug_log_ldap = False
 
@@ -1112,7 +1113,10 @@ def gssapi_bind(self, server_controls=None, client_controls=None):
 Perform SASL bind operation using the SASL GSSAPI mechanism.
 """
 with self.error_handler():
-auth_tokens = ldap.sasl.sasl({}, 'GSSAPI')
+if self._protocol == 'ldapi':
+auth_tokens = SASL_GSS_SPNEGO
+else:
+auth_tokens = SASL_GSSAPI
 self._flush_schema()
 self.conn.sasl_interactive_bind_s(
 '', auth_tokens, server_controls, client_controls)

From 4a9b4a7769e36890f95d87053388579928088dd3 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 18:47:56 -0500
Subject: [PATCH 3/3] Store session cookie in a ccache option

Instead of using the kernel keyring,s tore the session cookie within the
ccache. This way kdestroy will really wipe away all creedntials.

Ticket: https://pagure.io/freeipa/issue/6661

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py   |  30 ++
 ipapython/ccache_storage.py | 234 
 2 files changed, 242 insertions(+), 22 deletions(-)
 create mode 100644 ipapython/ccache_storage.py

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 8d1bba5..be31333 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -56,7 +56,7 @@
 from ipalib.request import context, Connection
 from ipapython.ipa_log_manager import root_logger
 from ipapython import ipautil
-from ipapython import kernel_keyring
+from ipapython import ccache_storage
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
@@ -84,19 +84,11 @@
 unicode = str
 
 COOKIE_NAME = 'ipa_session'
-KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME
+CCACHE_COOKIE_KEY_NAME = 'X-IPA-Session-Cookie'
 
 errors_by_code = dict((e.errno, e) for e in public_errors)
 
 
-def client_session_keyring_keyname(principal):
-'''
-Return the key name used for storing the client session data for
-the given principal.
-'''
-
-return KEYRING_COOKIE_NAME % principal
-
 def update_persistent_client_session_data(principal, data):
 '''
 Given a principal create or update the session data for that
@@

[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching

[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching

[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching

[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching

[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching

[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching

6 matches

Site Navigation

Mail list logo

Footer information