Disable principal renames for LDAP

The current principal rename procedure does not work with the LDAP KDB
module, instead having the effect of deleting the principal.  The fix
is not easy and requires amending the DAL (see issue #8065).  For now,
detect LDAP and error out when a rename operation is attempted.

(cherry picked from commit 8483243664a289fea142d8a9de61eba30d713871)

ticket: 8162
version_fixed: 1.13.2
status: resolved

1 files changed, 13 insertions, 0 deletions

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index d4e74cc..27f8eba 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -782,6 +782,7 @@ kadm5_rename_principal(void *server_handle,
     kadm5_server_handle_t handle = server_handle;
     krb5_int16 stype, i;
     krb5_data *salt = NULL;
+    krb5_tl_data tl;
 
     CHECK_HANDLE(server_handle);
 
@@ -798,6 +799,18 @@ kadm5_rename_principal(void *server_handle,
     if ((ret = kdb_get_entry(handle, source, &kdb, &adb)))
         return ret;
 
+    /*
+     * This rename procedure does not work with the LDAP KDB module (see issue
+     * #8065).  As a stopgap, look for tl-data indicating LDAP and error out.
+     * 0x7FFE is KDB_TL_USER_INFO as defined in kdb_ldap.h.
+     */
+    tl.tl_data_type = 0x7FFE;
+    if (krb5_dbe_lookup_tl_data(handle->context, kdb, &tl) == 0 &&
+        tl.tl_data_length > 0) {
+        ret = KRB5_PLUGIN_OP_NOTSUPP;
+        goto done;
+    }
+
     /* Transform salts as necessary. */
     for (i = 0; i < kdb->n_key_data; i++) {
         ret = krb5_dbe_compute_salt(handle->context, &kdb->key_data[i],