On Thu, 2012-11-15 at 20:50 +0100, Tomas Babej wrote:
> On 11/15/2012 04:14 PM, Simo Sorce wrote:
> > On Thu, 2012-11-15 at 15:51 +0100, Tomas Babej wrote:
> >> On 11/15/2012 03:10 PM, Simo Sorce wrote:
> >>> On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote:
> >>>> On 11/15/2012 11:54 AM, Tomas Babej wrote:
> >>>>> Hi,
> >>>>>
> >>>>> This is server part of #3252.
> >>>>>
> >>>>> When user from other realm than FreeIPA's tries to use Web UI
> >>>>> (login via forms-based auth or with valid trusted realm ticket),
> >>>>> the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
> >>>>> is returned.
> >>>>>
> >>>>> Also, the support for usernames of the form user@SERVER.REALM
> >>>>> or user@server.realm was added.
> >>>>>
> >>>>> https://fedorahosted.org/freeipa/ticket/3252
> >>>>>
> >>>>> Tomas
> >>>>>
> >>>>> +        # allows login in the form user@SERVER_REALM or 
> >>>>> FIXME:user@server_realm
> >>>> The comment may not be clear for other people. I would be more verbose
> >>>> about the FIXME.
> >>>>
> >>>>> +        parts = user.split("@")
> >>>>> +        if len(parts) > 1:
> >>>>> +            if parts[1].upper()==self.api.env.realm:
> >>>> I don't think we wanted to do this hard-check of realm. Personally I'am
> >>>> not against it because it's better to fail at login than at subsequent
> >>>> command (which will happen). Anyway it should be commented.
> >>>>
> >>>>> +                user=parts[0]
> >>>>> +            else:
> >>>>> +                return self.unauthorized(environ, start_response, '', 
> >>>>> 'denied')
> >>> I think you should really fail only if you get failure connecting to
> >>> LDAP. Because we can easily allow logins by providing a mapping object
> >>> as part of SASL rules, we simply do not do it yet.
> >>>
> >>> Simo.
> >>>
> >> Turns out if user from trusted realm logs in using WebUI form,
> >> he sucessfully obtaines ticket, however, a ccache is created with
> >> negative expiration time, because KRB5_CCache classes
> >> uses server's realm in its methods.
> > Uh odd.
> > Well if the problem is deep there, then please open a ticket to fix that
> > probelm and let's move on with your current solution.
> >
> > But we need either a ticket or a note somewhere (or maybe even just
> > FIXMEs in your code comments) to make sure we improve this code later to
> > check via LDAP so we do not hit a wall if/when we decide to allow
> > trusted users to log into the ui.
> >
> > Simo.
> The updated patch is attached. Please check if there are any other issues.
> 
> I will open the tickets after further investigation.

Sorry for the delay,
I though I had ACKed this one already.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to