[Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms
Tomas Babej
tbabej at redhat.com
Thu Nov 15 14:51:21 UTC 2012
On 11/15/2012 03:10 PM, Simo Sorce wrote:
> On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote:
>> On 11/15/2012 11:54 AM, Tomas Babej wrote:
>>> Hi,
>>>
>>> This is server part of #3252.
>>>
>>> When user from other realm than FreeIPA's tries to use Web UI
>>> (login via forms-based auth or with valid trusted realm ticket),
>>> the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
>>> is returned.
>>>
>>> Also, the support for usernames of the form user at SERVER.REALM
>>> or user at server.realm was added.
>>>
>>> https://fedorahosted.org/freeipa/ticket/3252
>>>
>>> Tomas
>>>
>>> + # allows login in the form user at SERVER_REALM or FIXME:user at server_realm
>> The comment may not be clear for other people. I would be more verbose
>> about the FIXME.
>>
>>> + parts = user.split("@")
>>> + if len(parts) > 1:
>>> + if parts[1].upper()==self.api.env.realm:
>> I don't think we wanted to do this hard-check of realm. Personally I'am
>> not against it because it's better to fail at login than at subsequent
>> command (which will happen). Anyway it should be commented.
>>
>>> + user=parts[0]
>>> + else:
>>> + return self.unauthorized(environ, start_response, '', 'denied')
> I think you should really fail only if you get failure connecting to
> LDAP. Because we can easily allow logins by providing a mapping object
> as part of SASL rules, we simply do not do it yet.
>
> Simo.
>
Turns out if user from trusted realm logs in using WebUI form,
he sucessfully obtaines ticket, however, a ccache is created with
negative expiration time, because KRB5_CCache classes
uses server's realm in its methods.
Tomas
realm
More information about the Freeipa-devel
mailing list