#2331 Store session cookie in ccache for cli users
Closed: Fixed None Opened 7 years ago by rcritten.

Once session support is complete (1204, 2095) support will need to be added so the CLI can take advantage of this as well.

The plan is to store the cookie in the user's ccache.


Import ctypes and then key utils and use kernel key ring. It the keyring is not available fallback to the old behavior.

I think we can use keyctl tool rather than importing evil ctypes.

This should be invisible to the user.

Use the keyctl command to list your keys:

$ keyctl list @s
2 keys in keyring:
353548226: --alswrv  1000    -1 keyring: _uid.1000
941350591: --alswrv  1000  1000 user: ipa_session_cookie

To remove a key:

$ keyctl unlink 941350591 @s

Some things to test:

  1. Single IPA server
  2. Multiple IPA servers w/SRV records
  3. Multiple IPA servers w/SRV records, bring primary down
  4. After creating a session restart ipa_memcached on server and ensure that a new session is eventually created

Use the -vv option to ipa to see the request conversation, e.g. ipa -vv user-show admin

You should see a request go to /ipa/session/xml, respond with a 401, then go to /ipa/xml. All subsequent requests should go to /ipa/session/xml and have the cookie accepted.

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.0 Beta 1

2 years ago

Login to comment on this ticket.

Metadata