On Thu, 15 Nov 2012, Tomas Babej wrote:
From e08691492241399bbe41802b945df0b714e16c00 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 15 Nov 2012 05:21:16 -0500
Subject: [PATCH] Add detection for users from trusted/invalid realms
When user from other realm than FreeIPA's tries to use Web UI
(login via forms-based auth or with valid trusted realm ticket),
the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
is returned.
Also, the support for usernames of the form user@SERVER.REALM
or user@server.realm was added.
https://fedorahosted.org/freeipa/ticket/3252
---
ipaserver/plugins/ldap2.py | 2 ++
ipaserver/rpcserver.py | 20 +++++++++++++++++++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index
bf1a0d3761b90cfa0784363aeaf40686e72c5d49..8e8e1604ff0a3d36fe3501ec6f54abdb717d78ae
100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -727,6 +727,8 @@ class ldap2(CrudBackend):
except _ldap.SERVER_DOWN:
raise NetworkError(uri=self.ldap_uri,
error=u'LDAP Server Down')
+ except _ldap.LOCAL_ERROR:
+ raise errors.ACIError(info=info)
except _ldap.SUCCESS:
pass
except _ldap.LDAPError, e:
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index
0856c25cef7904b3913b1666ddcf4965368f368a..d64e6514699c8679aa9e396c7b6b6256977a821f
100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -809,7 +809,11 @@ class jsonserver_session(jsonserver, KerberosSession):
# Store the session data in the per-thread context
setattr(context, 'session_data', session_data)
- self.create_context(ccache=ipa_ccache_name)
+ # This may fail if a ticket from wrong realm was handled via browser
+ try:
+ self.create_context(ccache=ipa_ccache_name)
+ except ACIError, e:
+ return self.unauthorized(environ, start_response, str(e), 'denied')
try:
response = super(jsonserver_session, self).__call__(environ,
start_response)
@@ -927,6 +931,20 @@ class login_password(Backend, KerberosSession,
HTTP_Status):
else:
return self.bad_request(environ, start_response, "no user
specified")
+ # allows login in the form user@SERVER_REALM or user@server_realm
+ # FIXME: uppercasing may be removed when better handling of UPN
+ # is introduced
+ parts = user.split("@")
+ if len(parts) > 1:
+ # check whether the realm is server's realm
+ # Users from other realms are not supported
+ # (because they do not have necessary LDAP entry,
+ # LDAP connect will fail)
+ if parts[1].upper()==self.api.env.realm:
+ user=parts[0]
+ else:
+ return self.unauthorized(environ, start_response, '', 'denied')
+
Can we also block NetBIOS\user logins?
See ipaserver.dcerpc.DomainValidator's normalize_name() method, it
handles both variants and returns a dict. You cannot use it
unconditionally, though, since it is only available if
freeipa-server-trust-ad package is installed.
We can move this method to some common place since it does not require
trusts per se and then re-use it in several places.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
