Hi, This is server part of #3252.
When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied is returned. Also, the support for usernames of the form user@SERVER.REALM or user@server.realm was added. https://fedorahosted.org/freeipa/ticket/3252 Tomas
>From c7d1f0208be8a577bf4b6f5ea274829dcfdfbdf1 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Thu, 15 Nov 2012 05:21:16 -0500 Subject: [PATCH] Add detection for users from trusted/invalid realms When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied is returned. Also, the support for usernames of the form user@SERVER.REALM or user@server.realm was added. https://fedorahosted.org/freeipa/ticket/3252 --- ipaserver/plugins/ldap2.py | 2 ++ ipaserver/rpcserver.py | 14 +++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index bf1a0d3761b90cfa0784363aeaf40686e72c5d49..8e8e1604ff0a3d36fe3501ec6f54abdb717d78ae 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -727,6 +727,8 @@ class ldap2(CrudBackend): except _ldap.SERVER_DOWN: raise NetworkError(uri=self.ldap_uri, error=u'LDAP Server Down') + except _ldap.LOCAL_ERROR: + raise errors.ACIError(info=info) except _ldap.SUCCESS: pass except _ldap.LDAPError, e: diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 0856c25cef7904b3913b1666ddcf4965368f368a..0b8b8c312239782acf30a7b8a7597012eb615cf4 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -809,7 +809,11 @@ class jsonserver_session(jsonserver, KerberosSession): # Store the session data in the per-thread context setattr(context, 'session_data', session_data) - self.create_context(ccache=ipa_ccache_name) + # This may fail if a ticket from wrong realm was handled via browser + try: + self.create_context(ccache=ipa_ccache_name) + except ACIError, e: + return self.unauthorized(environ, start_response, str(e), 'denied') try: response = super(jsonserver_session, self).__call__(environ, start_response) @@ -927,6 +931,14 @@ class login_password(Backend, KerberosSession, HTTP_Status): else: return self.bad_request(environ, start_response, "no user specified") + # allows login in the form user@SERVER_REALM or FIXME:user@server_realm + parts = user.split("@") + if len(parts) > 1: + if parts[1].upper()==self.api.env.realm: + user=parts[0] + else: + return self.unauthorized(environ, start_response, '', 'denied') + password = query_dict.get('password', None) if password is not None: if len(password) == 1: -- 1.7.11.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel