[Freeipa-devel] [freeipa PR#547][synchronized] Use GSS-SPNEGO if connecting locally

Tue, 07 Mar 2017 05:53:34 -0800 

   URL: https://github.com/freeipa/freeipa/pull/547
Author: simo5
 Title: #547: Use GSS-SPNEGO if connecting locally
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/547/head:pr547
git checkout pr547

From 431a21bace9d6e071c9f0bd7cfbc27d7748164bc Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Mon, 6 Mar 2017 14:19:30 -0500
Subject: [PATCH] Use GSS-SPNEGO if connecting locally

GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips
therefore use it when possible.

We only enable it for local connections for now because we only
recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This
change means a newer and an older version are not compatible.

Restricting ourselves to the local host prevents issues with
incompatible services, and it is ok for us as we are only really
looking for speedups for the local short-lived connections performed
by the framework. Most other clients have longer lived connections,
so peformance improvements there are not as important.

Ticket: https://pagure.io/freeipa/issue/6656

Signed-off-by: Simo Sorce <s...@redhat.com>
---
 ipapython/ipaldap.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 82d45b9..b158598 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -52,6 +52,7 @@
 
 # Global variable to define SASL auth
 SASL_GSSAPI = ldap.sasl.sasl({}, 'GSSAPI')
+SASL_GSS_SPNEGO = ldap.sasl.sasl({}, 'GSS-SPNEGO')
 
 _debug_log_ldap = False
 
@@ -1112,7 +1113,10 @@ def gssapi_bind(self, server_controls=None, client_controls=None):
         Perform SASL bind operation using the SASL GSSAPI mechanism.
         """
         with self.error_handler():
-            auth_tokens = ldap.sasl.sasl({}, 'GSSAPI')
+            if self._protocol == 'ldapi':
+                auth_tokens = SASL_GSS_SPNEGO
+            else:
+                auth_tokens = SASL_GSSAPI
             self._flush_schema()
             self.conn.sasl_interactive_bind_s(
                 '', auth_tokens, server_controls, client_controls)

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to