You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
while I was assisting @abompard with a problem in Fedora Account System, I noticed that python-freeipa's Kerberos login is inefficient. It requires two HTTP roundtrips to authenticate and uses cookie sessions, which are less efficient. The official IPA client library uses opportunistic authentication without sessions.
To make python-freeipa faster:
use opportunistic authentication
allow passing of GSS-API credentials
don't call login_kerberos
drop session_logout for GSS-API auth
try:
import requests_gssapi
import gssapi
import gssapi.exceptions
except ImportError as e:
# Will raise if the user tries to login via Kerberos.
requests_gssapi = gssapi = e
in Client.__init__:
self._session.verify = verify_ssl
def login_gssapi(self, creds=None)
if creds is None:
try:
creds = gssapi.Credentials(usage="initiate")
except gssapi.exceptions.GSSError as e:
raise Unauthorized(e)
self._session.auth = requests_gssapi.HTTPSPNEGOAuth(
opportunistic_auth=True, creds=creds
)
# optional check to get a 401 early
self._request("ping")
The text was updated successfully, but these errors were encountered:
Hi,
while I was assisting @abompard with a problem in Fedora Account System, I noticed that python-freeipa's Kerberos login is inefficient. It requires two HTTP roundtrips to authenticate and uses cookie sessions, which are less efficient. The official IPA client library uses opportunistic authentication without sessions.
To make python-freeipa faster:
login_kerberossession_logoutfor GSS-API authin
Client.__init__:The text was updated successfully, but these errors were encountered: