[Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms
Petr Vobornik
pvoborni at redhat.com
Thu Nov 15 11:41:40 UTC 2012
On 11/15/2012 11:54 AM, Tomas Babej wrote:
> Hi,
>
> This is server part of #3252.
>
> When user from other realm than FreeIPA's tries to use Web UI
> (login via forms-based auth or with valid trusted realm ticket),
> the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
> is returned.
>
> Also, the support for usernames of the form user at SERVER.REALM
> or user at server.realm was added.
>
> https://fedorahosted.org/freeipa/ticket/3252
>
> Tomas
>
> + # allows login in the form user at SERVER_REALM or FIXME:user at server_realm
The comment may not be clear for other people. I would be more verbose
about the FIXME.
> + parts = user.split("@")
> + if len(parts) > 1:
> + if parts[1].upper()==self.api.env.realm:
I don't think we wanted to do this hard-check of realm. Personally I'am
not against it because it's better to fail at login than at subsequent
command (which will happen). Anyway it should be commented.
> + user=parts[0]
> + else:
> + return self.unauthorized(environ, start_response, '', 'denied')
--
Petr Vobornik
More information about the Freeipa-devel
mailing list