On Wed, 2012-11-14 at 19:04 +0100, Petr Vobornik wrote: > This is Web UI part of #3252 which depends on tbabej's python part which > will be send by tbabej later. > > When user from other realm than FreeIPA's tries to use Web UI (login via > forms-based auth or with valid trusted realm ticket), he gets an > unauthorized error with X-Ipa-Rejection-Reason=invalid-realm. Web UI > responds with showing login dialog with following error message: > 'Invalid realm: Login for users from other realms is not supported.'. > > Note: such users are not supported because they don't have a > corresponding entry in LDAP which is needed for ACLs. > > https://fedorahosted.org/freeipa/ticket/3252
I am not sure how you can tell the difference between invalid credentials being returned due to the realm being invalid or because later on we decided to allow only a subset of user from a realm and so the real m is valid but the user just do not have access. I would be more generic and return something like X-Ipa-Rehjection-Reason=denied and issue a generic message: "sorry you are not allowed to access this service" or similar. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel