[Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms

Rob Crittenden rcritten at redhat.com
Thu Dec 6 15:48:54 UTC 2012 

Simo Sorce wrote:
> On Thu, 2012-11-15 at 20:50 +0100, Tomas Babej wrote:
>> On 11/15/2012 04:14 PM, Simo Sorce wrote:
>>> On Thu, 2012-11-15 at 15:51 +0100, Tomas Babej wrote:
>>>> On 11/15/2012 03:10 PM, Simo Sorce wrote:
>>>>> On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote:
>>>>>> On 11/15/2012 11:54 AM, Tomas Babej wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> This is server part of #3252.
>>>>>>>
>>>>>>> When user from other realm than FreeIPA's tries to use Web UI
>>>>>>> (login via forms-based auth or with valid trusted realm ticket),
>>>>>>> the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
>>>>>>> is returned.
>>>>>>>
>>>>>>> Also, the support for usernames of the form user at SERVER.REALM
>>>>>>> or user at server.realm was added.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/3252
>>>>>>>
>>>>>>> Tomas
>>>>>>>
>>>>>>> +        # allows login in the form user at SERVER_REALM or FIXME:user at server_realm
>>>>>> The comment may not be clear for other people. I would be more verbose
>>>>>> about the FIXME.
>>>>>>
>>>>>>> +        parts = user.split("@")
>>>>>>> +        if len(parts) > 1:
>>>>>>> +            if parts[1].upper()==self.api.env.realm:
>>>>>> I don't think we wanted to do this hard-check of realm. Personally I'am
>>>>>> not against it because it's better to fail at login than at subsequent
>>>>>> command (which will happen). Anyway it should be commented.
>>>>>>
>>>>>>> +                user=parts[0]
>>>>>>> +            else:
>>>>>>> +                return self.unauthorized(environ, start_response, '', 'denied')
>>>>> I think you should really fail only if you get failure connecting to
>>>>> LDAP. Because we can easily allow logins by providing a mapping object
>>>>> as part of SASL rules, we simply do not do it yet.
>>>>>
>>>>> Simo.
>>>>>
>>>> Turns out if user from trusted realm logs in using WebUI form,
>>>> he sucessfully obtaines ticket, however, a ccache is created with
>>>> negative expiration time, because KRB5_CCache classes
>>>> uses server's realm in its methods.
>>> Uh odd.
>>> Well if the problem is deep there, then please open a ticket to fix that
>>> probelm and let's move on with your current solution.
>>>
>>> But we need either a ticket or a note somewhere (or maybe even just
>>> FIXMEs in your code comments) to make sure we improve this code later to
>>> check via LDAP so we do not hit a wall if/when we decide to allow
>>> trusted users to log into the ui.
>>>
>>> Simo.
>> The updated patch is attached. Please check if there are any other issues.
>>
>> I will open the tickets after further investigation.
>
> Sorry for the delay,
> I though I had ACKed this one already.
>
> Simo.
>

pushed to master and ipa-3-0

More information about the Freeipa-devel mailing list