Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1512615 - after upgrade ipa-server OS from 7.3 to 7.4 Web UI has no timeout any more
Summary: after upgrade ipa-server OS from 7.3 to 7.4 Web UI has no timeout any more
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-13 16:38 UTC by Silvio Wanka
Modified: 2017-11-16 08:24 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-14 08:54:14 UTC


Attachments (Terms of Use)

Description Silvio Wanka 2017-11-13 16:38:16 UTC
up to ipa-server 4.4.x it was normal that I must reenter my credentials if I have not used Web UI for some minutes. Now I remain logged-on without any limit. Is this the normal behavior now (insecure) or is there a bug?

Comment 2 Florence Blanc-Renaud 2017-11-14 08:54:14 UTC
Hi,

in older versions, the session duration was set with the parameter SessionMaxAge in the file /etc/httpd/conf.d/ipa.conf.

In RHEL 7.4, we introduced privilege separation (https://pagure.io/freeipa/issue/5959) and setting SessionMaxAge could break old clients (ipa-client < 4.5), see issue https://pagure.io/freeipa/issue/7001.

So now, the default session duration is tied to the kerberos ticket lifetime (default=24h), but can be tuned by setting kinit_lifetime=<duration> in the [global] section of /etc/ipa/default.conf.

For instance to limit the session to 5min, modify /etc/ipa/default.conf on the masters and restart ipa with ipactl stop/ipactl start:

$ cat /etc/ipa/default.conf
[global]
host = master.domain.com
basedn = dc=domain,dc=com
realm = DOMAIN.COM
domain = domain.com
xmlrpc_uri = https://master.domain.com/ipa/xml
ldap_uri = ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket
enable_ra = True
ra_plugin = dogtag
dogtag_version = 10
mode = production
kinit_lifetime=5min

Comment 3 Silvio Wanka 2017-11-14 09:16:53 UTC
If I set as recommended kinit_lifetime in /etc/ipa/default.conf to 5min do this only affect the Web UI or also (as I assume) all other kinds of sessions?

TIA

Comment 4 Florence Blanc-Renaud 2017-11-16 08:24:09 UTC
Hi,

the lifetime set in /etc/ipa/default.conf will affect only sessions to the WebUI that are using the /session/login_password method (ie when the user provides username and password).

When authentication is done with an already acquired kerberos ticket (using /session/login_kerberos), the ticket lifetime is limiting the session duration.


Note You need to log in before you can comment on or make changes to this bug.