The below is my notes on how DNS is used. This document is neither accurate nor authoritative, just meandering. You’ve been warned.
DNS Use cases in FreeIPA
6
Category Archives: FreeIPA
RFI: SPEGNO multiple requests
From what we are seeing and what I’ve read, the browser seems to send a JSON request with no Auth info, and then the whole SPEGNO handshake takes place, turning what should be a single request response into (at a minimum) two. It seems to me that we should be able to avoid that after the initial auth has taken place.
Is there any way to cache SPEGNO information such that successive JSON RPC calls provide the needed information automatically, instead of requiring multiple round trips per request?
Any Fedora people worked with this stuff and know how to optimize it? Do I need to revert to a Cookie based approach?
Debugging with lite-server.py in FreeIPA
Kerberos doesn’t tell you who you are. Seems like a funny thing, but when you use Kerberos Auth on the web, the browser has not way of telling you “this is the principal that you are using.” For the UI in FreeIPA, I need to display just thins information. To find it, I have to look to the server to tell me.
Thus begins my study of FreeIPA plugins. I wrote a simple plugin, the whoami plugin, that did just what I needed. I returned the Principal in the summary, and all was good.
Now I need more. I need to know the role groups of which the current user is a member. This information is on the user object already. So, good-bye whoami plugin: we are going to add your behavior to the user plugin, where it belongs.
The key piece of information that made this work possible was how to get a breakpoint to stop the code and let me step through it. The trick, probably old hat to the Pythonistas out there, but new to me was this simple line:
import pdb; pdb.set_trace()
Without that, none of the breakpoints I’d set would get executed, maybe due to threading or something. Not sure, but with this, I was able to determine that what I needed to do was to modify the filter.
I ran the lite-server like this:
./lite-server.py
Which is actually preferable to running it like this
python -m pdb lite-server.py
As you don’t have to type cont, and the debugger is still activated by the breakpoints.
Project Values
When a group forms, one of the things it does, over time, is develop values. Different development teams have different values, and people that come into the development process have to learn and adopt those values.  One value of the FreeIPA project that is very different from other recent projects of mine is this: The main code repository is only for “published” code. Work in progress should happen elsewhere. The main git repository should be easily readable.
Unit tests in FreeIPA
I’m working through the issues getting the unit tests to run cleanly. Here’s my setup:
Troubleshooting FreeIPA Certificate issues
For the past couple of months, I’ve been heads down working on the UI for the FreeIPA project. Since FreeIPA is designed to be the cornerstone of a companies security management infrastructure, it is designed to do everything “right” as far as cryptography, certificates, Kerberos, SELinux and the like go. If something is not configured correctly, it shuts down, doesn’t start, breaks, and so on. We, the developers, deal with the pain of getting it configured correctly so that, hopefully, the end users get an experience that is both smooth and secure. So, if you are sharing some of that pain, here’s an analgesic: