Re: [Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms
On Thu, 2012-11-15 at 20:50 +0100, Tomas Babej wrote: On 11/15/2012 04:14 PM, Simo Sorce wrote: On Thu, 2012-11-15 at 15:51 +0100, Tomas Babej wrote: On 11/15/2012 03:10 PM, Simo Sorce wrote: On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote: On 11/15/2012 11:54 AM, Tomas Babej wrote: Hi, This is server part of #3252. When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied is returned. Also, the support for usernames of the form user@SERVER.REALM or user@server.realm was added. https://fedorahosted.org/freeipa/ticket/3252 Tomas +# allows login in the form user@SERVER_REALM or FIXME:user@server_realm The comment may not be clear for other people. I would be more verbose about the FIXME. +parts = user.split(@) +if len(parts) 1: +if parts[1].upper()==self.api.env.realm: I don't think we wanted to do this hard-check of realm. Personally I'am not against it because it's better to fail at login than at subsequent command (which will happen). Anyway it should be commented. +user=parts[0] +else: +return self.unauthorized(environ, start_response, '', 'denied') I think you should really fail only if you get failure connecting to LDAP. Because we can easily allow logins by providing a mapping object as part of SASL rules, we simply do not do it yet. Simo. Turns out if user from trusted realm logs in using WebUI form, he sucessfully obtaines ticket, however, a ccache is created with negative expiration time, because KRB5_CCache classes uses server's realm in its methods. Uh odd. Well if the problem is deep there, then please open a ticket to fix that probelm and let's move on with your current solution. But we need either a ticket or a note somewhere (or maybe even just FIXMEs in your code comments) to make sure we improve this code later to check via LDAP so we do not hit a wall if/when we decide to allow trusted users to log into the ui. Simo. The updated patch is attached. Please check if there are any other issues. I will open the tickets after further investigation. Sorry for the delay, I though I had ACKed this one already. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms
Simo Sorce wrote: On Thu, 2012-11-15 at 20:50 +0100, Tomas Babej wrote: On 11/15/2012 04:14 PM, Simo Sorce wrote: On Thu, 2012-11-15 at 15:51 +0100, Tomas Babej wrote: On 11/15/2012 03:10 PM, Simo Sorce wrote: On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote: On 11/15/2012 11:54 AM, Tomas Babej wrote: Hi, This is server part of #3252. When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied is returned. Also, the support for usernames of the form user@SERVER.REALM or user@server.realm was added. https://fedorahosted.org/freeipa/ticket/3252 Tomas +# allows login in the form user@SERVER_REALM or FIXME:user@server_realm The comment may not be clear for other people. I would be more verbose about the FIXME. +parts = user.split(@) +if len(parts) 1: +if parts[1].upper()==self.api.env.realm: I don't think we wanted to do this hard-check of realm. Personally I'am not against it because it's better to fail at login than at subsequent command (which will happen). Anyway it should be commented. +user=parts[0] +else: +return self.unauthorized(environ, start_response, '', 'denied') I think you should really fail only if you get failure connecting to LDAP. Because we can easily allow logins by providing a mapping object as part of SASL rules, we simply do not do it yet. Simo. Turns out if user from trusted realm logs in using WebUI form, he sucessfully obtaines ticket, however, a ccache is created with negative expiration time, because KRB5_CCache classes uses server's realm in its methods. Uh odd. Well if the problem is deep there, then please open a ticket to fix that probelm and let's move on with your current solution. But we need either a ticket or a note somewhere (or maybe even just FIXMEs in your code comments) to make sure we improve this code later to check via LDAP so we do not hit a wall if/when we decide to allow trusted users to log into the ui. Simo. The updated patch is attached. Please check if there are any other issues. I will open the tickets after further investigation. Sorry for the delay, I though I had ACKed this one already. Simo. pushed to master and ipa-3-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms
On 11/15/2012 11:54 AM, Tomas Babej wrote: Hi, This is server part of #3252. When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied is returned. Also, the support for usernames of the form user@SERVER.REALM or user@server.realm was added. https://fedorahosted.org/freeipa/ticket/3252 Tomas +# allows login in the form user@SERVER_REALM or FIXME:user@server_realm The comment may not be clear for other people. I would be more verbose about the FIXME. +parts = user.split(@) +if len(parts) 1: +if parts[1].upper()==self.api.env.realm: I don't think we wanted to do this hard-check of realm. Personally I'am not against it because it's better to fail at login than at subsequent command (which will happen). Anyway it should be commented. +user=parts[0] +else: +return self.unauthorized(environ, start_response, '', 'denied') -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms
On 11/15/2012 12:41 PM, Petr Vobornik wrote: On 11/15/2012 11:54 AM, Tomas Babej wrote: Hi, This is server part of #3252. When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied is returned. Also, the support for usernames of the form user@SERVER.REALM or user@server.realm was added. https://fedorahosted.org/freeipa/ticket/3252 Tomas +# allows login in the form user@SERVER_REALM or FIXME:user@server_realm The comment may not be clear for other people. I would be more verbose about the FIXME. +parts = user.split(@) +if len(parts) 1: +if parts[1].upper()==self.api.env.realm: I don't think we wanted to do this hard-check of realm. Personally I'am not against it because it's better to fail at login than at subsequent command (which will happen). Anyway it should be commented. +user=parts[0] +else: +return self.unauthorized(environ, start_response, '', 'denied') I expanded the comments, please check if you find them appropriate now. Tomas From e08691492241399bbe41802b945df0b714e16c00 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Thu, 15 Nov 2012 05:21:16 -0500 Subject: [PATCH] Add detection for users from trusted/invalid realms When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied is returned. Also, the support for usernames of the form user@SERVER.REALM or user@server.realm was added. https://fedorahosted.org/freeipa/ticket/3252 --- ipaserver/plugins/ldap2.py | 2 ++ ipaserver/rpcserver.py | 20 +++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index bf1a0d3761b90cfa0784363aeaf40686e72c5d49..8e8e1604ff0a3d36fe3501ec6f54abdb717d78ae 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -727,6 +727,8 @@ class ldap2(CrudBackend): except _ldap.SERVER_DOWN: raise NetworkError(uri=self.ldap_uri, error=u'LDAP Server Down') +except _ldap.LOCAL_ERROR: +raise errors.ACIError(info=info) except _ldap.SUCCESS: pass except _ldap.LDAPError, e: diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 0856c25cef7904b3913b1666ddcf4965368f368a..d64e6514699c8679aa9e396c7b6b6256977a821f 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -809,7 +809,11 @@ class jsonserver_session(jsonserver, KerberosSession): # Store the session data in the per-thread context setattr(context, 'session_data', session_data) -self.create_context(ccache=ipa_ccache_name) +# This may fail if a ticket from wrong realm was handled via browser +try: +self.create_context(ccache=ipa_ccache_name) +except ACIError, e: +return self.unauthorized(environ, start_response, str(e), 'denied') try: response = super(jsonserver_session, self).__call__(environ, start_response) @@ -927,6 +931,20 @@ class login_password(Backend, KerberosSession, HTTP_Status): else: return self.bad_request(environ, start_response, no user specified) +# allows login in the form user@SERVER_REALM or user@server_realm +# FIXME: uppercasing may be removed when better handling of UPN +#is introduced +parts = user.split(@) +if len(parts) 1: +# check whether the realm is server's realm +# Users from other realms are not supported +# (because they do not have necessary LDAP entry, +# LDAP connect will fail) +if parts[1].upper()==self.api.env.realm: +user=parts[0] +else: +return self.unauthorized(environ, start_response, '', 'denied') + password = query_dict.get('password', None) if password is not None: if len(password) == 1: -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms
On Thu, 15 Nov 2012, Tomas Babej wrote: From e08691492241399bbe41802b945df0b714e16c00 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Thu, 15 Nov 2012 05:21:16 -0500 Subject: [PATCH] Add detection for users from trusted/invalid realms When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied is returned. Also, the support for usernames of the form user@SERVER.REALM or user@server.realm was added. https://fedorahosted.org/freeipa/ticket/3252 --- ipaserver/plugins/ldap2.py | 2 ++ ipaserver/rpcserver.py | 20 +++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index bf1a0d3761b90cfa0784363aeaf40686e72c5d49..8e8e1604ff0a3d36fe3501ec6f54abdb717d78ae 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -727,6 +727,8 @@ class ldap2(CrudBackend): except _ldap.SERVER_DOWN: raise NetworkError(uri=self.ldap_uri, error=u'LDAP Server Down') +except _ldap.LOCAL_ERROR: +raise errors.ACIError(info=info) except _ldap.SUCCESS: pass except _ldap.LDAPError, e: diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 0856c25cef7904b3913b1666ddcf4965368f368a..d64e6514699c8679aa9e396c7b6b6256977a821f 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -809,7 +809,11 @@ class jsonserver_session(jsonserver, KerberosSession): # Store the session data in the per-thread context setattr(context, 'session_data', session_data) -self.create_context(ccache=ipa_ccache_name) +# This may fail if a ticket from wrong realm was handled via browser +try: +self.create_context(ccache=ipa_ccache_name) +except ACIError, e: +return self.unauthorized(environ, start_response, str(e), 'denied') try: response = super(jsonserver_session, self).__call__(environ, start_response) @@ -927,6 +931,20 @@ class login_password(Backend, KerberosSession, HTTP_Status): else: return self.bad_request(environ, start_response, no user specified) +# allows login in the form user@SERVER_REALM or user@server_realm +# FIXME: uppercasing may be removed when better handling of UPN +#is introduced +parts = user.split(@) +if len(parts) 1: +# check whether the realm is server's realm +# Users from other realms are not supported +# (because they do not have necessary LDAP entry, +# LDAP connect will fail) +if parts[1].upper()==self.api.env.realm: +user=parts[0] +else: +return self.unauthorized(environ, start_response, '', 'denied') + Can we also block NetBIOS\user logins? See ipaserver.dcerpc.DomainValidator's normalize_name() method, it handles both variants and returns a dict. You cannot use it unconditionally, though, since it is only available if freeipa-server-trust-ad package is installed. We can move this method to some common place since it does not require trusts per se and then re-use it in several places. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms
On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote: On 11/15/2012 11:54 AM, Tomas Babej wrote: Hi, This is server part of #3252. When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied is returned. Also, the support for usernames of the form user@SERVER.REALM or user@server.realm was added. https://fedorahosted.org/freeipa/ticket/3252 Tomas +# allows login in the form user@SERVER_REALM or FIXME:user@server_realm The comment may not be clear for other people. I would be more verbose about the FIXME. +parts = user.split(@) +if len(parts) 1: +if parts[1].upper()==self.api.env.realm: I don't think we wanted to do this hard-check of realm. Personally I'am not against it because it's better to fail at login than at subsequent command (which will happen). Anyway it should be commented. +user=parts[0] +else: +return self.unauthorized(environ, start_response, '', 'denied') I think you should really fail only if you get failure connecting to LDAP. Because we can easily allow logins by providing a mapping object as part of SASL rules, we simply do not do it yet. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms
On 11/15/2012 03:10 PM, Simo Sorce wrote: On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote: On 11/15/2012 11:54 AM, Tomas Babej wrote: Hi, This is server part of #3252. When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied is returned. Also, the support for usernames of the form user@SERVER.REALM or user@server.realm was added. https://fedorahosted.org/freeipa/ticket/3252 Tomas +# allows login in the form user@SERVER_REALM or FIXME:user@server_realm The comment may not be clear for other people. I would be more verbose about the FIXME. +parts = user.split(@) +if len(parts) 1: +if parts[1].upper()==self.api.env.realm: I don't think we wanted to do this hard-check of realm. Personally I'am not against it because it's better to fail at login than at subsequent command (which will happen). Anyway it should be commented. +user=parts[0] +else: +return self.unauthorized(environ, start_response, '', 'denied') I think you should really fail only if you get failure connecting to LDAP. Because we can easily allow logins by providing a mapping object as part of SASL rules, we simply do not do it yet. Simo. Turns out if user from trusted realm logs in using WebUI form, he sucessfully obtaines ticket, however, a ccache is created with negative expiration time, because KRB5_CCache classes uses server's realm in its methods. Tomas realm ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms
On Thu, 2012-11-15 at 15:51 +0100, Tomas Babej wrote: On 11/15/2012 03:10 PM, Simo Sorce wrote: On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote: On 11/15/2012 11:54 AM, Tomas Babej wrote: Hi, This is server part of #3252. When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied is returned. Also, the support for usernames of the form user@SERVER.REALM or user@server.realm was added. https://fedorahosted.org/freeipa/ticket/3252 Tomas +# allows login in the form user@SERVER_REALM or FIXME:user@server_realm The comment may not be clear for other people. I would be more verbose about the FIXME. +parts = user.split(@) +if len(parts) 1: +if parts[1].upper()==self.api.env.realm: I don't think we wanted to do this hard-check of realm. Personally I'am not against it because it's better to fail at login than at subsequent command (which will happen). Anyway it should be commented. +user=parts[0] +else: +return self.unauthorized(environ, start_response, '', 'denied') I think you should really fail only if you get failure connecting to LDAP. Because we can easily allow logins by providing a mapping object as part of SASL rules, we simply do not do it yet. Simo. Turns out if user from trusted realm logs in using WebUI form, he sucessfully obtaines ticket, however, a ccache is created with negative expiration time, because KRB5_CCache classes uses server's realm in its methods. Uh odd. Well if the problem is deep there, then please open a ticket to fix that probelm and let's move on with your current solution. But we need either a ticket or a note somewhere (or maybe even just FIXMEs in your code comments) to make sure we improve this code later to check via LDAP so we do not hit a wall if/when we decide to allow trusted users to log into the ui. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms
On 11/15/2012 04:14 PM, Simo Sorce wrote: On Thu, 2012-11-15 at 15:51 +0100, Tomas Babej wrote: On 11/15/2012 03:10 PM, Simo Sorce wrote: On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote: On 11/15/2012 11:54 AM, Tomas Babej wrote: Hi, This is server part of #3252. When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied is returned. Also, the support for usernames of the form user@SERVER.REALM or user@server.realm was added. https://fedorahosted.org/freeipa/ticket/3252 Tomas +# allows login in the form user@SERVER_REALM or FIXME:user@server_realm The comment may not be clear for other people. I would be more verbose about the FIXME. +parts = user.split(@) +if len(parts) 1: +if parts[1].upper()==self.api.env.realm: I don't think we wanted to do this hard-check of realm. Personally I'am not against it because it's better to fail at login than at subsequent command (which will happen). Anyway it should be commented. +user=parts[0] +else: +return self.unauthorized(environ, start_response, '', 'denied') I think you should really fail only if you get failure connecting to LDAP. Because we can easily allow logins by providing a mapping object as part of SASL rules, we simply do not do it yet. Simo. Turns out if user from trusted realm logs in using WebUI form, he sucessfully obtaines ticket, however, a ccache is created with negative expiration time, because KRB5_CCache classes uses server's realm in its methods. Uh odd. Well if the problem is deep there, then please open a ticket to fix that probelm and let's move on with your current solution. But we need either a ticket or a note somewhere (or maybe even just FIXMEs in your code comments) to make sure we improve this code later to check via LDAP so we do not hit a wall if/when we decide to allow trusted users to log into the ui. Simo. The updated patch is attached. Please check if there are any other issues. I will open the tickets after further investigation. Tomas From 51d2e1e4cee203bac70f21b3b2797e64e9d1277b Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Thu, 15 Nov 2012 05:21:16 -0500 Subject: [PATCH] Add detection for users from trusted/invalid realms When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied is returned. Also, the support for usernames of the form user@SERVER.REALM or user@server.realm was added. https://fedorahosted.org/freeipa/ticket/3252 --- ipalib/util.py | 15 +++ ipaserver/dcerpc.py| 19 +++ ipaserver/plugins/ldap2.py | 2 ++ ipaserver/rpcserver.py | 37 +++-- 4 files changed, 55 insertions(+), 18 deletions(-) diff --git a/ipalib/util.py b/ipalib/util.py index 3fe5c9f446ed2c5cdc5df2cb7b629fae8b319a4b..c52d060b55b51c9dbe2791bf92f8f002be9af9da 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -105,6 +105,21 @@ def validate_host_dns(log, fqdn): ) raise errors.DNSNotARecordError() +def normalize_name(name): +result = dict() +components = name.split('@') +if len(components) == 2: +result['domain'] = unicode(components[1]).lower() +result['name'] = unicode(components[0]).lower() +else: +components = name.split('\\') +if len(components) == 2: +result['flatname'] = unicode(components[0]).lower() +result['name'] = unicode(components[1]).lower() +else: +result['name'] = unicode(name).lower() +return result + def isvalid_base64(data): Validate the incoming data as valid base64 data or not. diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 4eddbcdc304de9e50c5ccb9a71808fb71cf5b844..4e83926dbcf2bd3f64c9e358e00c59c5aa603c91 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -31,6 +31,7 @@ from ipapython import ipautil from ipapython.ipa_log_manager import * from ipapython.dn import DN from ipaserver.install import installutils +from ipalib.util import normalize_name import os, string, struct, copy import uuid @@ -184,21 +185,6 @@ class DomainValidator(object): return True return False -def normalize_name(self, name): -result = dict() -components = name.split('@') -if len(components) == 2: -result['domain'] = unicode(components[1]).lower() -result['name'] = unicode(components[0]).lower() -else: -components = name.split('\\') -if len(components) == 2: -result['flatname'] = unicode(components[0]).lower() -result['name'] = unicode(components[1]).lower() -else: -