Once session support is complete (1204, 2095) support will need to be added so the CLI can take advantage of this as well.
The plan is to store the cookie in the user's ccache.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=786199
Import ctypes and then key utils and use kernel key ring. It the keyring is not available fallback to the old behavior.
I think we can use keyctl tool rather than importing evil ctypes.
attachment freeipa-rcrit-1024-session.patch
This should be invisible to the user.
Use the keyctl command to list your keys:
$ keyctl list @s 2 keys in keyring: 353548226: --alswrv 1000 -1 keyring: _uid.1000 941350591: --alswrv 1000 1000 user: ipa_session_cookie
To remove a key:
$ keyctl unlink 941350591 @s
Some things to test:
Use the -vv option to ipa to see the request conversation, e.g. ipa -vv user-show admin
You should see a request go to /ipa/session/xml, respond with a 401, then go to /ipa/xml. All subsequent requests should go to /ipa/session/xml and have the cookie accepted.
master: 54135ec
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0 Beta 1
Login to comment on this ticket.