freeipa

Clone
Source Code
GIT

f94ccca Allow CustodiaClient to be used by arbitrary principals

2 files Authored by ftweedal 9 years ago, Committed by jcholast 9 years ago,
raw patch tree parent
2 files changed. 24 lines added. 10 lines removed.
ipapython/secrets/client.py
file modified
+13 -7
ipaserver/install/custodiainstance.py
file modified
+11 -3 
    Allow CustodiaClient to be used by arbitrary principals
    
    Currently CustodiaClient assumes that the client is the host
    principal, and it is hard-coded to read the host keytab and server
    keys.
    
    For the Lightweight CAs feature, Dogtag on CA replicas will use
    CustodiaClient to retrieve signing keys from the originating
    replica.  Because this process runs as 'pkiuser', the host keys
    cannot be used; instead, each Dogtag replica will have a service
    principal to use for Custodia authentication.
    
    Update CustodiaClient to require specifying the client keytab and
    Custodia keyfile to use, and change the client argument to be a full
    GSS service name (instead of hard-coding host service) to load from
    the keytab.  Update call sites accordingly.
    
    Also pass the given 'ldap_uri' argument through to IPAKEMKeys
    because without it, the client tries to use LDAPI, but may not have
    access.
    
    Part of: https://fedorahosted.org/freeipa/ticket/4559
    
    Reviewed-By: Jan Cholasta <jcholast@redhat.com>
file modified
+13 -7
file modified
+11 -3
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.