On Thu, 2012-11-15 at 15:51 +0100, Tomas Babej wrote: > On 11/15/2012 03:10 PM, Simo Sorce wrote: > > On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote: > >> On 11/15/2012 11:54 AM, Tomas Babej wrote: > >>> Hi, > >>> > >>> This is server part of #3252. > >>> > >>> When user from other realm than FreeIPA's tries to use Web UI > >>> (login via forms-based auth or with valid trusted realm ticket), > >>> the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied > >>> is returned. > >>> > >>> Also, the support for usernames of the form user@SERVER.REALM > >>> or user@server.realm was added. > >>> > >>> https://fedorahosted.org/freeipa/ticket/3252 > >>> > >>> Tomas > >>> > >>> + # allows login in the form user@SERVER_REALM or > >>> FIXME:user@server_realm > >> The comment may not be clear for other people. I would be more verbose > >> about the FIXME. > >> > >>> + parts = user.split("@") > >>> + if len(parts) > 1: > >>> + if parts[1].upper()==self.api.env.realm: > >> I don't think we wanted to do this hard-check of realm. Personally I'am > >> not against it because it's better to fail at login than at subsequent > >> command (which will happen). Anyway it should be commented. > >> > >>> + user=parts[0] > >>> + else: > >>> + return self.unauthorized(environ, start_response, '', > >>> 'denied') > > I think you should really fail only if you get failure connecting to > > LDAP. Because we can easily allow logins by providing a mapping object > > as part of SASL rules, we simply do not do it yet. > > > > Simo. > > > Turns out if user from trusted realm logs in using WebUI form, > he sucessfully obtaines ticket, however, a ccache is created with > negative expiration time, because KRB5_CCache classes > uses server's realm in its methods.
Uh odd. Well if the problem is deep there, then please open a ticket to fix that probelm and let's move on with your current solution. But we need either a ticket or a note somewhere (or maybe even just FIXMEs in your code comments) to make sure we improve this code later to check via LDAP so we do not hit a wall if/when we decide to allow trusted users to log into the ui. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
