On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote: > On 11/15/2012 11:54 AM, Tomas Babej wrote: > > Hi, > > > > This is server part of #3252. > > > > When user from other realm than FreeIPA's tries to use Web UI > > (login via forms-based auth or with valid trusted realm ticket), > > the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied > > is returned. > > > > Also, the support for usernames of the form user@SERVER.REALM > > or user@server.realm was added. > > > > https://fedorahosted.org/freeipa/ticket/3252 > > > > Tomas > > > > > + # allows login in the form user@SERVER_REALM or > > FIXME:user@server_realm > > The comment may not be clear for other people. I would be more verbose > about the FIXME. > > > + parts = user.split("@") > > + if len(parts) > 1: > > + if parts[1].upper()==self.api.env.realm: > > I don't think we wanted to do this hard-check of realm. Personally I'am > not against it because it's better to fail at login than at subsequent > command (which will happen). Anyway it should be commented. > > > + user=parts[0] > > + else: > > + return self.unauthorized(environ, start_response, '', > > 'denied')
I think you should really fail only if you get failure connecting to LDAP. Because we can easily allow logins by providing a mapping object as part of SASL rules, we simply do not do it yet. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
