Create a KRB5_KDB_FLAG_ALIAS_OK to control whether plugin modules

should return in-realm aliases.  Set it where appropriate, and use it
in the LDAP module instead of intuiting the result based on other
flags.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24178 dc483132-0cff-0310-8789-dd5450dbe970

5 files changed, 20 insertions, 36 deletions

diff --git a/src/include/kdb.h b/src/include/kdb.h
index a03361e..49d77aa 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -130,6 +130,8 @@
 #define KRB5_KDB_FLAG_USER_TO_USER              0x00000800
 /* Cross-realm */
 #define KRB5_KDB_FLAG_CROSS_REALM               0x00001000
+/* Allow in-realm aliases */
+#define KRB5_KDB_FLAG_ALIAS_OK                  0x00002000
 
 #define KRB5_KDB_FLAGS_S4U                      ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \
                                                   KRB5_KDB_FLAG_CONSTRAINED_DELEGATION )
@@ -913,19 +915,17 @@ typedef struct _kdb_vftabl {
      * db_get_principal):
      *
      * KRB5_KDB_FLAG_CANONICALIZE: Set by the KDC when looking up entries for
-     *     an AS or TGS request with canonicalization requested.  Affects
-     *     whether the module should return out-of-realm referrals and aliases
-     *     (see below).
+     *     an AS or TGS request with canonicalization requested.  Determines
+     *     whether the module should return out-of-realm referrals.
      *
-     * KRB5_KDB_INCLUDE_PAC: Set by the KDC during an AS request when the
+     * KRB5_KDB_FLAG_INCLUDE_PAC: Set by the KDC during an AS request when the
      *     client requested PAC information during padata, and during most TGS
      *     requests.  Indicates that the module should include PAC information
      *     when generating authorization data.
      *
      * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY: Set by the KDC when looking up the
      *     client entry in an AS request.  Affects how the module should return
-     *     out-of-realm referrals and whether the module should return in-realm
-     *     aliases (see below).
+     *     out-of-realm referrals.
      *
      * KRB5_KDB_FLAG_MAP_PRINCIPALS: Set by the KDC when looking up the client
      *     entry during TGS requests, except for S4U TGS requests and requests
@@ -946,10 +946,14 @@ typedef struct _kdb_vftabl {
      *     during a TGS request, if the client principal is not part of the
      *     realm being served.
      *
-     * A module can return in-realm aliases if KRB5_KDB_FLAG_CANONICALIZE is
-     * set, or if KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is not set (because
-     * aliases are always okay for TGS requests).  To return an in-realm alias,
-     * fill in a different value for entries->princ than the one requested.
+     * KRB5_KDB_FLAG_ALIAS_OK: Set by the KDC for server principal lookups and
+     *     for AS request client principal lookups with canonicalization
+     *     requested; also set by the admin interface.  Determines whether the
+     *     module should return in-realm aliases.
+     *
+     * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set.
+     * To return an in-realm alias, fill in a different value for
+     * entries->princ than the one requested.
      *
      * A module can return out-of-realm referrals if KRB5_KDB_FLAG_CANONICALIZE
      * is set.  For AS request clients (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 57070f5..48a55e4 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -195,6 +195,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         krb5_princ_type(kdc_context,
                         request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
         setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
+        setflag(c_flags, KRB5_KDB_FLAG_ALIAS_OK);
     }
     if (include_pac_p(kdc_context, request)) {
         setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
@@ -237,6 +238,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
 #endif
 
     s_flags = 0;
+    setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
     if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
         setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
     }
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index eeafa07..2c4514c 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -205,6 +205,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
     /* XXX make sure server here has the proper realm...taken from AP_REQ
        header? */
 
+    setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
     if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
         setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
         setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c
index cb60971..deb7181 100644
--- a/src/lib/kadm5/srv/server_kdb.c
+++ b/src/lib/kadm5/srv/server_kdb.c
@@ -242,7 +242,8 @@ kdb_get_entry(kadm5_server_handle_t handle,
 
     *kdb_ptr = NULL;
 
-    ret = krb5_db_get_principal(handle->context, principal, 0, &kdb);
+    ret = krb5_db_get_principal(handle->context, principal,
+                                KRB5_KDB_FLAG_ALIAS_OK, &kdb);
     if (ret == KRB5_KDB_NOENTRY)
         return(KADM5_UNK_PRINC);
     if (ret)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 9b50eda..27a3a64 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -70,30 +70,6 @@ berval2tl_data(struct berval *in, krb5_tl_data **out)
     return 0;
 }
 
-/* Return true if it's okay to return aliases according to flags. */
-static krb5_boolean
-aliases_ok(unsigned int flags)
-{
-    /*
-     * The current DAL does not have a flag to indicate whether
-     * aliases are okay.  For service name lookups (AS or TGT path),
-     * we can always return aliases.  For client name lookups, we can
-     * only return aliases if the client passed the canonicalize flag.
-     * We abuse the CLIENT_REFERRALS_ONLY flag to detect client name
-     * lookups.
-     *
-     * This method has the side effect of permitting aliases for
-     * lookups by administrative interfaces (e.g. kadmin).  Since we
-     * don't have explicit admin support for aliases yet, this is
-     * okay.
-     */
-    if (!(flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY))
-        return TRUE;
-    if (flags & KRB5_KDB_FLAG_CANONICALIZE)
-        return TRUE;
-    return FALSE;
-}
-
 /*
  * look up a principal in the directory.
  */
@@ -178,7 +154,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
             if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) {
                 if (values[0] && strcmp(values[0], user) != 0) {
                     /* We matched an alias, not the canonical name. */
-                    if (aliases_ok(flags)) {
+                    if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
                         st = krb5_ldap_parse_principal_name(values[0], &cname);
                         if (st != 0)
                             goto cleanup;