|
 |
3b8b44 |
From 109cd579e3b089b7fad4c92bf25594eba1af8a21 Mon Sep 17 00:00:00 2001
|
|
|
3b8b44 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
3b8b44 |
Date: Tue, 23 Aug 2022 16:58:07 +0300
|
|
|
3b8b44 |
Subject: [PATCH] fix canonicalization issue in Web UI
|
|
|
3b8b44 |
|
|
|
3b8b44 |
When Kerberos principal alias is used to login to a Web UI, we end up
|
|
|
3b8b44 |
with a request that is authenticated by a ticket issued in the alias
|
|
|
3b8b44 |
name but metadata processed for the canonical user name. This confuses
|
|
|
3b8b44 |
RPC layer of Web UI code and causes infinite loop to reload the page.
|
|
|
3b8b44 |
|
|
|
3b8b44 |
Fix it by doing two things:
|
|
|
3b8b44 |
|
|
|
3b8b44 |
- force use of canonicalization of an enterprise principal on server
|
|
|
3b8b44 |
side, not just specifying that the principal is an enterprise one;
|
|
|
3b8b44 |
|
|
|
3b8b44 |
- recognize that a principal in the whoami()-returned object can have
|
|
|
3b8b44 |
aliases and the principal returned by the server in the JSON response
|
|
|
3b8b44 |
may be one of those aliases.
|
|
|
3b8b44 |
|
|
|
3b8b44 |
Fixes: https://pagure.io/freeipa/issue/9226
|
|
|
3b8b44 |
|
|
|
3b8b44 |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
3b8b44 |
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
|
|
3b8b44 |
---
|
|
|
3b8b44 |
install/ui/src/freeipa/ipa.js | 8 +++++++-
|
|
|
3b8b44 |
ipaserver/rpcserver.py | 1 +
|
|
|
3b8b44 |
2 files changed, 8 insertions(+), 1 deletion(-)
|
|
|
3b8b44 |
|
|
|
3b8b44 |
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
|
|
|
3b8b44 |
index 758db1b00..a08d632e9 100644
|
|
|
3b8b44 |
--- a/install/ui/src/freeipa/ipa.js
|
|
|
3b8b44 |
+++ b/install/ui/src/freeipa/ipa.js
|
|
|
3b8b44 |
@@ -271,7 +271,13 @@ var IPA = function () {
|
|
|
3b8b44 |
var cn = that.whoami.data.krbcanonicalname;
|
|
|
3b8b44 |
if (cn) that.principal = cn[0];
|
|
|
3b8b44 |
if (!that.principal) {
|
|
|
3b8b44 |
- that.principal = that.whoami.data.krbprincipalname[0];
|
|
|
3b8b44 |
+ var principal = data.principal;
|
|
|
3b8b44 |
+ var idx = that.whoami.data.krbprincipalname.indexOf(principal);
|
|
|
3b8b44 |
+ if (idx > -1) {
|
|
|
3b8b44 |
+ that.principal = principal;
|
|
|
3b8b44 |
+ } else {
|
|
|
3b8b44 |
+ that.principal = that.whoami.data.krbprincipalname[0];
|
|
|
3b8b44 |
+ }
|
|
|
3b8b44 |
}
|
|
|
3b8b44 |
} else if (entity === 'idoverrideuser') {
|
|
|
3b8b44 |
that.principal = that.whoami.data.ipaoriginaluid[0];
|
|
|
3b8b44 |
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
|
|
3b8b44 |
index 1f85e9898..4e8a08b66 100644
|
|
|
3b8b44 |
--- a/ipaserver/rpcserver.py
|
|
|
3b8b44 |
+++ b/ipaserver/rpcserver.py
|
|
|
3b8b44 |
@@ -1109,6 +1109,7 @@ class login_password(Backend, KerberosSession):
|
|
|
3b8b44 |
ccache_name,
|
|
|
3b8b44 |
armor_ccache_name=armor_path,
|
|
|
3b8b44 |
enterprise=True,
|
|
|
3b8b44 |
+ canonicalize=True,
|
|
|
3b8b44 |
lifetime=self.api.env.kinit_lifetime)
|
|
|
3b8b44 |
|
|
|
3b8b44 |
if armor_path:
|
|
|
3b8b44 |
--
|
|
|
3b8b44 |
2.37.3
|
|
|
3b8b44 |
|