Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1512615

Summary: after upgrade ipa-server OS from 7.3 to 7.4 Web UI has no timeout any more
Product: Red Hat Enterprise Linux 7 Reporter: Silvio Wanka <Silvio.Wanka>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED NOTABUG QA Contact: ipa-qe <ipa-qe>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.4CC: frenaud, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-14 08:54:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Silvio Wanka 2017-11-13 16:38:16 UTC
up to ipa-server 4.4.x it was normal that I must reenter my credentials if I have not used Web UI for some minutes. Now I remain logged-on without any limit. Is this the normal behavior now (insecure) or is there a bug?

Comment 2 Florence Blanc-Renaud 2017-11-14 08:54:14 UTC
Hi,

in older versions, the session duration was set with the parameter SessionMaxAge in the file /etc/httpd/conf.d/ipa.conf.

In RHEL 7.4, we introduced privilege separation (https://pagure.io/freeipa/issue/5959) and setting SessionMaxAge could break old clients (ipa-client < 4.5), see issue https://pagure.io/freeipa/issue/7001.

So now, the default session duration is tied to the kerberos ticket lifetime (default=24h), but can be tuned by setting kinit_lifetime=<duration> in the [global] section of /etc/ipa/default.conf.

For instance to limit the session to 5min, modify /etc/ipa/default.conf on the masters and restart ipa with ipactl stop/ipactl start:

$ cat /etc/ipa/default.conf
[global]
host = master.domain.com
basedn = dc=domain,dc=com
realm = DOMAIN.COM
domain = domain.com
xmlrpc_uri = https://master.domain.com/ipa/xml
ldap_uri = ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket
enable_ra = True
ra_plugin = dogtag
dogtag_version = 10
mode = production
kinit_lifetime=5min

Comment 3 Silvio Wanka 2017-11-14 09:16:53 UTC
If I set as recommended kinit_lifetime in /etc/ipa/default.conf to 5min do this only affect the Web UI or also (as I assume) all other kinds of sessions?

TIA

Comment 4 Florence Blanc-Renaud 2017-11-16 08:24:09 UTC
Hi,

the lifetime set in /etc/ipa/default.conf will affect only sessions to the WebUI that are using the /session/login_password method (ie when the user provides username and password).

When authentication is done with an already acquired kerberos ticket (using /session/login_kerberos), the ticket lifetime is limiting the session duration.