mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-26 16:16:31 -06:00
rpcserver: x509_login: Handle unsuccessful certificate login gracefully
When mod_lookup_identity is unable to match user by certificate (and username) it unsets http request's user. mod_auth_gssapi is then unable to get Kerberos ticket and doesn't set KRB5CCNAME environment variable. x509_login.__call__ now returns 401 in such case to indicate that request was not authenticated. https://pagure.io/freeipa/issue/6225 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
parent
e20ad9c251
commit
70889d4d5e
@ -834,6 +834,16 @@ class login_kerberos(KerberosLogin):
|
||||
class login_x509(KerberosLogin):
|
||||
key = '/session/login_x509'
|
||||
|
||||
def __call__(self, environ, start_response):
|
||||
self.debug('WSGI login_x509.__call__:')
|
||||
|
||||
if 'KRB5CCNAME' not in environ:
|
||||
return self.unauthorized(
|
||||
environ, start_response, 'KRB5CCNAME not set',
|
||||
'Authentication failed')
|
||||
|
||||
super(login_x509, self).__call__(environ, start_response)
|
||||
|
||||
|
||||
class login_password(Backend, KerberosSession):
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user