[Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms

Tomas Babej tbabej at redhat.com
Thu Nov 15 19:50:00 UTC 2012 

On 11/15/2012 04:14 PM, Simo Sorce wrote:
> On Thu, 2012-11-15 at 15:51 +0100, Tomas Babej wrote:
>> On 11/15/2012 03:10 PM, Simo Sorce wrote:
>>> On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote:
>>>> On 11/15/2012 11:54 AM, Tomas Babej wrote:
>>>>> Hi,
>>>>>
>>>>> This is server part of #3252.
>>>>>
>>>>> When user from other realm than FreeIPA's tries to use Web UI
>>>>> (login via forms-based auth or with valid trusted realm ticket),
>>>>> the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
>>>>> is returned.
>>>>>
>>>>> Also, the support for usernames of the form user at SERVER.REALM
>>>>> or user at server.realm was added.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/3252
>>>>>
>>>>> Tomas
>>>>>
>>>>> +        # allows login in the form user at SERVER_REALM or FIXME:user at server_realm
>>>> The comment may not be clear for other people. I would be more verbose
>>>> about the FIXME.
>>>>
>>>>> +        parts = user.split("@")
>>>>> +        if len(parts) > 1:
>>>>> +            if parts[1].upper()==self.api.env.realm:
>>>> I don't think we wanted to do this hard-check of realm. Personally I'am
>>>> not against it because it's better to fail at login than at subsequent
>>>> command (which will happen). Anyway it should be commented.
>>>>
>>>>> +                user=parts[0]
>>>>> +            else:
>>>>> +                return self.unauthorized(environ, start_response, '', 'denied')
>>> I think you should really fail only if you get failure connecting to
>>> LDAP. Because we can easily allow logins by providing a mapping object
>>> as part of SASL rules, we simply do not do it yet.
>>>
>>> Simo.
>>>
>> Turns out if user from trusted realm logs in using WebUI form,
>> he sucessfully obtaines ticket, however, a ccache is created with
>> negative expiration time, because KRB5_CCache classes
>> uses server's realm in its methods.
> Uh odd.
> Well if the problem is deep there, then please open a ticket to fix that
> probelm and let's move on with your current solution.
>
> But we need either a ticket or a note somewhere (or maybe even just
> FIXMEs in your code comments) to make sure we improve this code later to
> check via LDAP so we do not hit a wall if/when we decide to allow
> trusted users to log into the ui.
>
> Simo.
The updated patch is attached. Please check if there are any other issues.

I will open the tickets after further investigation.

Tomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0023-3-Add-detection-for-users-from-trusted-invalid-realms.patch
Type: text/x-patch
Size: 6973 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121115/42aaa077/attachment.bin>

More information about the Freeipa-devel mailing list