[CalendarServer] #314: Custom keytab file location for Kerberos
#314: Custom keytab file location for Kerberos -------------------------------+-------------------------------------------- Reporter: rahul@… | Owner: wsanchez@… Type: Feature | Status: new Priority: 4: Nice to have | Milestone: Component: Calendar Server | Severity: Other Keywords: | -------------------------------+-------------------------------------------- Could a feature be added for adding a custom location for the keytab file? This could be specified as a configuration parameter as below. <!-- Kerberos/SPNEGO --> <key>Kerberos</key> <dict> <key>Enabled</key> <true/> <key>ServicePrincipal</key> <string>HTTP/synovel103.synovel.pvt@SYNOVEL.COM</string> <key>KeytabLocation</key> <string>/etc/keytabs/caldav.keytab</string> </dict> Alternatively if this could be achieved by setting the environment variable KRB5_KTNAME, that would be fine as well. -- Ticket URL: <http://trac.calendarserver.org/ticket/314> CalendarServer </> HTTP/WebDAV/CalDAV Server
#314: Custom keytab file location for Kerberos -------------------------------+-------------------------------------------- Reporter: rahul@… | Owner: wsanchez@… Type: Enhancement | Status: new Priority: 4: Nice to have | Milestone: Later Component: Calendar Server | Severity: Other Keywords: | -------------------------------+-------------------------------------------- Changes (by wsanchez@…): * type: Feature => Enhancement * milestone: => Later Comment: I think we just find the keytab via the underlying Kerberos library. I'd be happy to take a patch that asks for a specific keytab though; that may require a minor fix to PyKerberos as well, not sure. -- Ticket URL: <http://trac.calendarserver.org/ticket/314#comment:1> CalendarServer </> HTTP/WebDAV/CalDAV Server
#314: Custom keytab file location for Kerberos -------------------------------+-------------------------------------------- Reporter: rahul@… | Owner: wsanchez@… Type: Enhancement | Status: new Priority: 4: Nice to have | Milestone: Later Component: Calendar Server | Severity: Other Keywords: | -------------------------------+-------------------------------------------- Comment(by arthurp@…): Replying to [comment:1 wsanchez@…]:
I think we just find the keytab via the underlying Kerberos library.
Right, but the underlying Kerberos library expects to obtain any non- default keytab locations from the environment variable KRB5_KTNAME, which is being filtered out by twisted. (see [http://twistedmatrix.com/trac/wiki/FrequentlyAskedQuestions#WhydontmyspawnPr... twisted FAQ]) For implementing this, I've chosen to patch through the environment variable as is already being done for PYTHONPATH (rather than dealing with adding configuration file items). The attached patch has been tested on Debian Lenny, against Debian's pykerberos 1.0+svn2455-1. From what I can see, the changes between that and pykerberos 1.1 stay far away from keytab handling. Note that setting KRB5_KTNAME to '' results in no keytab file ever being found, thus the mildly awkward syntax. -- Ticket URL: <http://trac.calendarserver.org/ticket/314#comment:2> CalendarServer </> HTTP/WebDAV/CalDAV Server
#314: Custom keytab file location for Kerberos --------------------------------+------------------------------------------- Reporter: rahul@… | Owner: wsanchez@… Type: Enhancement | Status: closed Priority: 3: Important | Milestone: CalendarServer-2.0 Component: Calendar Server | Severity: Other Resolution: Software changed | Keywords: --------------------------------+------------------------------------------- Changes (by wsanchez@…): * priority: 4: Nice to have => 3: Important * status: new => closed * resolution: => Software changed * milestone: Later => CalendarServer-2.0 Comment: OK, I see. Not sure why you need to use update though. Here's my version: {{{ if "KRB5_KTNAME" in os.environ: parentEnv["KRB5_KTNAME"] = os.environ["KRB5_KTNAME"] }}} Committed in r3658. -- Ticket URL: <http://trac.calendarserver.org/ticket/314#comment:4> CalendarServer </> HTTP/WebDAV/CalDAV Server
#314: Custom keytab file location for Kerberos --------------------------------+------------------------------------------- Reporter: rahul@… | Owner: wsanchez@… Type: Enhancement | Status: closed Priority: 3: Important | Milestone: CalendarServer-2.0 Component: Calendar Server | Severity: Other Resolution: Software changed | Keywords: --------------------------------+------------------------------------------- Comment(by arthurp@…): Replying to [comment:4 wsanchez@…]:
OK, I see. Not sure why you need to use update though. Here's my version:
I used update...only because my python is worse than rusty. :-) Not surprisingly, your syntax also tests out perfectly. Keep up the good (& quick!) work, -a. -- Ticket URL: <http://trac.calendarserver.org/ticket/314#comment:5> CalendarServer </> HTTP/WebDAV/CalDAV Server
#314: Custom keytab file location for Kerberos --------------------------------+------------------------------------------- Reporter: rahul@… | Owner: wsanchez@… Type: Enhancement | Status: closed Priority: 3: Important | Milestone: CalendarServer-2.0 Component: Calendar Server | Severity: Other Resolution: Software changed | Keywords: --------------------------------+------------------------------------------- Comment(by wsanchez@…): Great, thanks for the follow-through. -- Ticket URL: <http://trac.calendarserver.org/ticket/314#comment:6> CalendarServer </> HTTP/WebDAV/CalDAV Server
participants (1)
-
CalendarServer