Re: [Freeipa-devel] [PATCH] 226 Better error message for login of users from other realms
On 11/20/2012 07:11 AM, Endi Sukma Dewata wrote: On 11/15/2012 5:28 AM, Petr Vobornik wrote: Changed. Updated patch attached. ACK. Pushed to master, ipa-3-0. Just a minor thing, the errors object probably can be created outside of show_login_error_message() since it contains only fixed messages. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 226 Better error message for login of users from other realms
On 11/15/2012 5:28 AM, Petr Vobornik wrote: Changed. Updated patch attached. ACK. Just a minor thing, the errors object probably can be created outside of show_login_error_message() since it contains only fixed messages. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 226 Better error message for login of users from other realms
On Wed, 2012-11-14 at 19:04 +0100, Petr Vobornik wrote: This is Web UI part of #3252 which depends on tbabej's python part which will be send by tbabej later. When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), he gets an unauthorized error with X-Ipa-Rejection-Reason=invalid-realm. Web UI responds with showing login dialog with following error message: 'Invalid realm: Login for users from other realms is not supported.'. Note: such users are not supported because they don't have a corresponding entry in LDAP which is needed for ACLs. https://fedorahosted.org/freeipa/ticket/3252 I am not sure how you can tell the difference between invalid credentials being returned due to the realm being invalid or because later on we decided to allow only a subset of user from a realm and so the real m is valid but the user just do not have access. I would be more generic and return something like X-Ipa-Rehjection-Reason=denied and issue a generic message: sorry you are not allowed to access this service or similar. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel