[Freeipa-devel] [PATCH] 226 Better error message for login of users from other realms
Simo Sorce
simo at redhat.com
Wed Nov 14 18:15:57 UTC 2012
On Wed, 2012-11-14 at 19:04 +0100, Petr Vobornik wrote:
> This is Web UI part of #3252 which depends on tbabej's python part which
> will be send by tbabej later.
>
> When user from other realm than FreeIPA's tries to use Web UI (login via
> forms-based auth or with valid trusted realm ticket), he gets an
> unauthorized error with X-Ipa-Rejection-Reason=invalid-realm. Web UI
> responds with showing login dialog with following error message:
> 'Invalid realm: Login for users from other realms is not supported.'.
>
> Note: such users are not supported because they don't have a
> corresponding entry in LDAP which is needed for ACLs.
>
> https://fedorahosted.org/freeipa/ticket/3252
I am not sure how you can tell the difference between invalid
credentials being returned due to the realm being invalid or because
later on we decided to allow only a subset of user from a realm and so
the real m is valid but the user just do not have access.
I would be more generic and return something like
X-Ipa-Rehjection-Reason=denied and issue a generic message: "sorry you
are not allowed to access this service" or similar.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list