[Freeipa-devel] [PATCH] 226 Better error message for login of users from other realms
Petr Vobornik
pvoborni at redhat.com
Thu Nov 15 11:28:23 UTC 2012
On 11/14/2012 07:15 PM, Simo Sorce wrote:
> On Wed, 2012-11-14 at 19:04 +0100, Petr Vobornik wrote:
>> This is Web UI part of #3252 which depends on tbabej's python part which
>> will be send by tbabej later.
>>
>> When user from other realm than FreeIPA's tries to use Web UI (login via
>> forms-based auth or with valid trusted realm ticket), he gets an
>> unauthorized error with X-Ipa-Rejection-Reason=invalid-realm. Web UI
>> responds with showing login dialog with following error message:
>> 'Invalid realm: Login for users from other realms is not supported.'.
>>
>> Note: such users are not supported because they don't have a
>> corresponding entry in LDAP which is needed for ACLs.
>>
>> https://fedorahosted.org/freeipa/ticket/3252
>
> I am not sure how you can tell the difference between invalid
> credentials being returned due to the realm being invalid or because
> later on we decided to allow only a subset of user from a realm and so
> the real m is valid but the user just do not have access.
>
> I would be more generic and return something like
> X-Ipa-Rehjection-Reason=denied and issue a generic message: "sorry you
> are not allowed to access this service" or similar.
>
> Simo.
>
Changed. Updated patch attached.
--
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0226-1-Better-error-message-for-login-of-users-from-other-r.patch
Type: text/x-patch
Size: 5271 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121115/75d5b4eb/attachment.bin>
More information about the Freeipa-devel
mailing list