From 0292ebd1e5603a5daabf274b40fb4e10f096ea1c Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Thu, 15 Nov 2012 05:21:16 -0500
Subject: Add detection for users from trusted/invalid realms

When user from other realm than FreeIPA's tries to use Web UI
(login via forms-based auth or with valid trusted realm ticket),
the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
is returned.

Also, the support for usernames of the form user@SERVER.REALM
or user@server.realm was added.

https://fedorahosted.org/freeipa/ticket/3252
---
 ipaserver/plugins/ldap2.py | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'ipaserver/plugins')

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index bf1a0d37..8e8e1604 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -727,6 +727,8 @@ class ldap2(CrudBackend):
         except _ldap.SERVER_DOWN:
             raise NetworkError(uri=self.ldap_uri,
                                error=u'LDAP Server Down')
+        except _ldap.LOCAL_ERROR:
+            raise errors.ACIError(info=info)
         except _ldap.SUCCESS:
             pass
         except _ldap.LDAPError, e:
-- 
cgit