On 11/15/2012 12:41 PM, Petr Vobornik wrote:
On 11/15/2012 11:54 AM, Tomas Babej wrote:
Hi,
This is server part of #3252.
When user from other realm than FreeIPA's tries to use Web UI
(login via forms-based auth or with valid trusted realm ticket),
the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
is returned.
Also, the support for usernames of the form user@SERVER.REALM
or user@server.realm was added.
https://fedorahosted.org/freeipa/ticket/3252
Tomas
+ # allows login in the form user@SERVER_REALM or
FIXME:user@server_realm
The comment may not be clear for other people. I would be more verbose
about the FIXME.
+ parts = user.split("@")
+ if len(parts) > 1:
+ if parts[1].upper()==self.api.env.realm:
I don't think we wanted to do this hard-check of realm. Personally
I'am not against it because it's better to fail at login than at
subsequent command (which will happen). Anyway it should be commented.
+ user=parts[0]
+ else:
+ return self.unauthorized(environ, start_response,
'', 'denied')
I expanded the comments, please check if you find them appropriate now.
Tomas
>From e08691492241399bbe41802b945df0b714e16c00 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 15 Nov 2012 05:21:16 -0500
Subject: [PATCH] Add detection for users from trusted/invalid realms
When user from other realm than FreeIPA's tries to use Web UI
(login via forms-based auth or with valid trusted realm ticket),
the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
is returned.
Also, the support for usernames of the form user@SERVER.REALM
or user@server.realm was added.
https://fedorahosted.org/freeipa/ticket/3252
---
ipaserver/plugins/ldap2.py | 2 ++
ipaserver/rpcserver.py | 20 +++++++++++++++++++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index bf1a0d3761b90cfa0784363aeaf40686e72c5d49..8e8e1604ff0a3d36fe3501ec6f54abdb717d78ae 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -727,6 +727,8 @@ class ldap2(CrudBackend):
except _ldap.SERVER_DOWN:
raise NetworkError(uri=self.ldap_uri,
error=u'LDAP Server Down')
+ except _ldap.LOCAL_ERROR:
+ raise errors.ACIError(info=info)
except _ldap.SUCCESS:
pass
except _ldap.LDAPError, e:
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 0856c25cef7904b3913b1666ddcf4965368f368a..d64e6514699c8679aa9e396c7b6b6256977a821f 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -809,7 +809,11 @@ class jsonserver_session(jsonserver, KerberosSession):
# Store the session data in the per-thread context
setattr(context, 'session_data', session_data)
- self.create_context(ccache=ipa_ccache_name)
+ # This may fail if a ticket from wrong realm was handled via browser
+ try:
+ self.create_context(ccache=ipa_ccache_name)
+ except ACIError, e:
+ return self.unauthorized(environ, start_response, str(e), 'denied')
try:
response = super(jsonserver_session, self).__call__(environ, start_response)
@@ -927,6 +931,20 @@ class login_password(Backend, KerberosSession, HTTP_Status):
else:
return self.bad_request(environ, start_response, "no user specified")
+ # allows login in the form user@SERVER_REALM or user@server_realm
+ # FIXME: uppercasing may be removed when better handling of UPN
+ # is introduced
+ parts = user.split("@")
+ if len(parts) > 1:
+ # check whether the realm is server's realm
+ # Users from other realms are not supported
+ # (because they do not have necessary LDAP entry,
+ # LDAP connect will fail)
+ if parts[1].upper()==self.api.env.realm:
+ user=parts[0]
+ else:
+ return self.unauthorized(environ, start_response, '', 'denied')
+
password = query_dict.get('password', None)
if password is not None:
if len(password) == 1:
--
1.7.11.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
