[Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms
Simo Sorce
simo at redhat.com
Thu Nov 15 15:14:43 UTC 2012
On Thu, 2012-11-15 at 15:51 +0100, Tomas Babej wrote:
> On 11/15/2012 03:10 PM, Simo Sorce wrote:
> > On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote:
> >> On 11/15/2012 11:54 AM, Tomas Babej wrote:
> >>> Hi,
> >>>
> >>> This is server part of #3252.
> >>>
> >>> When user from other realm than FreeIPA's tries to use Web UI
> >>> (login via forms-based auth or with valid trusted realm ticket),
> >>> the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
> >>> is returned.
> >>>
> >>> Also, the support for usernames of the form user at SERVER.REALM
> >>> or user at server.realm was added.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/3252
> >>>
> >>> Tomas
> >>>
> >>> + # allows login in the form user at SERVER_REALM or FIXME:user at server_realm
> >> The comment may not be clear for other people. I would be more verbose
> >> about the FIXME.
> >>
> >>> + parts = user.split("@")
> >>> + if len(parts) > 1:
> >>> + if parts[1].upper()==self.api.env.realm:
> >> I don't think we wanted to do this hard-check of realm. Personally I'am
> >> not against it because it's better to fail at login than at subsequent
> >> command (which will happen). Anyway it should be commented.
> >>
> >>> + user=parts[0]
> >>> + else:
> >>> + return self.unauthorized(environ, start_response, '', 'denied')
> > I think you should really fail only if you get failure connecting to
> > LDAP. Because we can easily allow logins by providing a mapping object
> > as part of SASL rules, we simply do not do it yet.
> >
> > Simo.
> >
> Turns out if user from trusted realm logs in using WebUI form,
> he sucessfully obtaines ticket, however, a ccache is created with
> negative expiration time, because KRB5_CCache classes
> uses server's realm in its methods.
Uh odd.
Well if the problem is deep there, then please open a ticket to fix that
probelm and let's move on with your current solution.
But we need either a ticket or a note somewhere (or maybe even just
FIXMEs in your code comments) to make sure we improve this code later to
check via LDAP so we do not hit a wall if/when we decide to allow
trusted users to log into the ui.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list