On 11/15/2012 11:54 AM, Tomas Babej wrote:
Hi,
This is server part of #3252.
When user from other realm than FreeIPA's tries to use Web UI
(login via forms-based auth or with valid trusted realm ticket),
the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
is returned.
Also, the support for usernames of the form user@SERVER.REALM
or user@server.realm was added.
https://fedorahosted.org/freeipa/ticket/3252
Tomas
+ # allows login in the form user@SERVER_REALM or FIXME:user@server_realm
The comment may not be clear for other people. I would be more verbose
about the FIXME.
+ parts = user.split("@")
+ if len(parts) > 1:
+ if parts[1].upper()==self.api.env.realm:
I don't think we wanted to do this hard-check of realm. Personally I'am
not against it because it's better to fail at login than at subsequent
command (which will happen). Anyway it should be commented.
+ user=parts[0]
+ else:
+ return self.unauthorized(environ, start_response, '', 'denied')
--
Petr Vobornik
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
