Simo Sorce wrote:
On Thu, 2012-11-15 at 20:50 +0100, Tomas Babej wrote:
On 11/15/2012 04:14 PM, Simo Sorce wrote:
On Thu, 2012-11-15 at 15:51 +0100, Tomas Babej wrote:
On 11/15/2012 03:10 PM, Simo Sorce wrote:
On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote:
On 11/15/2012 11:54 AM, Tomas Babej wrote:
Hi,

This is server part of #3252.

When user from other realm than FreeIPA's tries to use Web UI
(login via forms-based auth or with valid trusted realm ticket),
the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
is returned.

Also, the support for usernames of the form user@SERVER.REALM
or user@server.realm was added.

https://fedorahosted.org/freeipa/ticket/3252

Tomas

+        # allows login in the form user@SERVER_REALM or FIXME:user@server_realm
The comment may not be clear for other people. I would be more verbose
about the FIXME.

+        parts = user.split("@")
+        if len(parts) > 1:
+            if parts[1].upper()==self.api.env.realm:
I don't think we wanted to do this hard-check of realm. Personally I'am
not against it because it's better to fail at login than at subsequent
command (which will happen). Anyway it should be commented.

+                user=parts[0]
+            else:
+                return self.unauthorized(environ, start_response, '', 'denied')
I think you should really fail only if you get failure connecting to
LDAP. Because we can easily allow logins by providing a mapping object
as part of SASL rules, we simply do not do it yet.

Simo.

Turns out if user from trusted realm logs in using WebUI form,
he sucessfully obtaines ticket, however, a ccache is created with
negative expiration time, because KRB5_CCache classes
uses server's realm in its methods.
Uh odd.
Well if the problem is deep there, then please open a ticket to fix that
probelm and let's move on with your current solution.

But we need either a ticket or a note somewhere (or maybe even just
FIXMEs in your code comments) to make sure we improve this code later to
check via LDAP so we do not hit a wall if/when we decide to allow
trusted users to log into the ui.

Simo.
The updated patch is attached. Please check if there are any other issues.

I will open the tickets after further investigation.

Sorry for the delay,
I though I had ACKed this one already.

Simo.


pushed to master and ipa-3-0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to