This bug is created as a clone of upstream ticket:
Once session support is complete (1204, 2095) support will need to be added so the CLI can take advantage of this as well.
The plan is to store the cookie in the user's ccache.
*** Bug 805270 has been marked as a duplicate of this bug. ***
*** Bug 768159 has been marked as a duplicate of this bug. ***
Testing info taken from the upstream ticket:
This should be invisible to the user.
Use the keyctl command to list your keys:
$ keyctl list @s
2 keys in keyring:
353548226: --alswrv 1000 -1 keyring: _uid.1000
941350591: --alswrv 1000 1000 user: ipa_session_cookie
To remove a key:
$ keyctl unlink 941350591 @s
Some things to test:
Single IPA server
1. Multiple IPA servers w/SRV records
2. Multiple IPA servers w/SRV records, bring primary down
3. After creating a session restart ipa_memcached on server and ensure that a new session is eventually created
4. Use the -vv option to ipa to see the request conversation, e.g. ipa -vv user-show admin
You should see a request go to /ipa/session/xml, respond with a 401, then go to /ipa/xml. All subsequent requests should go to /ipa/session/xml and have the cookie accepted.
The xmlrpclib.py in Python 2.6 is different enough from 2.7 that this is going to require a patch.
Another issue we noticed is that we are not sending a correct cookie back to the server, we're including extraneous cookie information from the browser only Set-Cookie header. We should only be sending the cookie value (e.g. ipa_session=xxxxxxxxxxxxxxxx).
You can see this when using a session:
$ ipa -vv user-show admin
You'll see the Cookie header in the POST request output.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.