diff options
author | Isaac Boukris <iboukris@gmail.com> | 2019-12-26 00:23:21 +0100 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2019-12-28 01:02:40 -0500 |
commit | ac8865a22138ab0c657208c41be8fd6bc7968148 (patch) | |
tree | 7b757d90fb25d1fbded459c4a8210ea5af7b36b5 /src/plugins | |
parent | 3f5955631a2056f8ec4d1ce73d9681fa7da061c2 (diff) | |
download | krb5-ac8865a22138ab0c657208c41be8fd6bc7968148.zip krb5-ac8865a22138ab0c657208c41be8fd6bc7968148.tar.gz krb5-ac8865a22138ab0c657208c41be8fd6bc7968148.tar.bz2 |
Remove KRB5_KDB_FLAG_ALIAS_OK
It is simpler and more consistent with Windows to let the KDB module
always return aliases, and use KDC logic (already present) to decide
whether to use the requested or canonical principal name in the
ticket.
With the removal of this flag, "kinit alias" (without the -C flag)
against the LDAP KDB module will issue a ticket for the alias name,
instead of failing with a "client not found" error.
[ghudson@mit.edu: edited comments; wrote commit message]
ticket: 8859 (new)
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 15 | ||||
-rw-r--r-- | src/plugins/kdb/test/kdb_test.c | 14 |
2 files changed, 11 insertions, 18 deletions
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index ee9c028..564093f 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -189,15 +189,12 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) { if (values[0] && strcmp(values[0], user) != 0) { /* We matched an alias, not the canonical name. */ - if (flags & KRB5_KDB_FLAG_ALIAS_OK) { - st = krb5_ldap_parse_principal_name(values[0], &cname); - if (st != 0) - goto cleanup; - st = krb5_parse_name(context, cname, &cprinc); - if (st != 0) - goto cleanup; - } else /* No canonicalization, so don't return aliases. */ - found = FALSE; + st = krb5_ldap_parse_principal_name(values[0], &cname); + if (st != 0) + goto cleanup; + st = krb5_parse_name(context, cname, &cprinc); + if (st != 0) + goto cleanup; } ldap_value_free(values); if (!found) diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c index 3a1d1ba..69a4663 100644 --- a/src/plugins/kdb/test/kdb_test.c +++ b/src/plugins/kdb/test/kdb_test.c @@ -351,14 +351,12 @@ test_get_principal(krb5_context context, krb5_const_principal search_for, &search_name)); canon = get_string(h, "alias", search_name, NULL); if (canon != NULL) { - if (!(flags & KRB5_KDB_FLAG_ALIAS_OK) && - search_for->type != KRB5_NT_ENTERPRISE_PRINCIPAL) { - ret = KRB5_KDB_NOENTRY; - goto cleanup; - } check(krb5_parse_name(context, canon, &princ)); if (!krb5_realm_compare(context, search_for, princ)) { - if (flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) { + /* Out of realm */ + if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) && + ((flags & KRB5_KDB_FLAG_CANONICALIZE) || + search_for->type == KRB5_NT_ENTERPRISE_PRINCIPAL)) { /* Return a client referral by creating an entry with only the * principal set. */ *entry = ealloc(sizeof(**entry)); @@ -486,9 +484,7 @@ test_get_s4u_x509_principal(krb5_context context, const krb5_data *client_cert, &princ_name)); canon = get_string(h, "alias", princ_name, NULL); krb5_free_unparsed_name(context, princ_name); - if (canon != NULL && - ((flags & KRB5_KDB_FLAG_ALIAS_OK) || - princ->type == KRB5_NT_ENTERPRISE_PRINCIPAL)) { + if (canon != NULL) { check(krb5_parse_name(context, canon, &canon_princ)); match = krb5_principal_compare(context, canon_princ, (*entry)->princ); krb5_free_principal(context, canon_princ); |