diff options
author | Greg Hudson <ghudson@mit.edu> | 2010-07-08 23:34:35 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2010-07-08 23:34:35 +0000 |
commit | e220a6288b10e1f9280e8aa2cb18ad56391e0a45 (patch) | |
tree | b052d1e6cb8a61ad28acf1a246fae3e808ba1530 /src | |
parent | eb75acd30b4bee1124174c8ba5740a7ad1c97ba4 (diff) | |
download | krb5-e220a6288b10e1f9280e8aa2cb18ad56391e0a45.zip krb5-e220a6288b10e1f9280e8aa2cb18ad56391e0a45.tar.gz krb5-e220a6288b10e1f9280e8aa2cb18ad56391e0a45.tar.bz2 |
Create a KRB5_KDB_FLAG_ALIAS_OK to control whether plugin modules
should return in-realm aliases. Set it where appropriate, and use it
in the LDAP module instead of intuiting the result based on other
flags.
ticket: 6749
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24178 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
-rw-r--r-- | src/include/kdb.h | 24 | ||||
-rw-r--r-- | src/kdc/do_as_req.c | 2 | ||||
-rw-r--r-- | src/kdc/do_tgs_req.c | 1 | ||||
-rw-r--r-- | src/lib/kadm5/srv/server_kdb.c | 3 | ||||
-rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 26 |
5 files changed, 20 insertions, 36 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index a03361e..49d77aa 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -130,6 +130,8 @@ #define KRB5_KDB_FLAG_USER_TO_USER 0x00000800 /* Cross-realm */ #define KRB5_KDB_FLAG_CROSS_REALM 0x00001000 +/* Allow in-realm aliases */ +#define KRB5_KDB_FLAG_ALIAS_OK 0x00002000 #define KRB5_KDB_FLAGS_S4U ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \ KRB5_KDB_FLAG_CONSTRAINED_DELEGATION ) @@ -913,19 +915,17 @@ typedef struct _kdb_vftabl { * db_get_principal): * * KRB5_KDB_FLAG_CANONICALIZE: Set by the KDC when looking up entries for - * an AS or TGS request with canonicalization requested. Affects - * whether the module should return out-of-realm referrals and aliases - * (see below). + * an AS or TGS request with canonicalization requested. Determines + * whether the module should return out-of-realm referrals. * - * KRB5_KDB_INCLUDE_PAC: Set by the KDC during an AS request when the + * KRB5_KDB_FLAG_INCLUDE_PAC: Set by the KDC during an AS request when the * client requested PAC information during padata, and during most TGS * requests. Indicates that the module should include PAC information * when generating authorization data. * * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY: Set by the KDC when looking up the * client entry in an AS request. Affects how the module should return - * out-of-realm referrals and whether the module should return in-realm - * aliases (see below). + * out-of-realm referrals. * * KRB5_KDB_FLAG_MAP_PRINCIPALS: Set by the KDC when looking up the client * entry during TGS requests, except for S4U TGS requests and requests @@ -946,10 +946,14 @@ typedef struct _kdb_vftabl { * during a TGS request, if the client principal is not part of the * realm being served. * - * A module can return in-realm aliases if KRB5_KDB_FLAG_CANONICALIZE is - * set, or if KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is not set (because - * aliases are always okay for TGS requests). To return an in-realm alias, - * fill in a different value for entries->princ than the one requested. + * KRB5_KDB_FLAG_ALIAS_OK: Set by the KDC for server principal lookups and + * for AS request client principal lookups with canonicalization + * requested; also set by the admin interface. Determines whether the + * module should return in-realm aliases. + * + * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set. + * To return an in-realm alias, fill in a different value for + * entries->princ than the one requested. * * A module can return out-of-realm referrals if KRB5_KDB_FLAG_CANONICALIZE * is set. For AS request clients (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 57070f5..48a55e4 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -195,6 +195,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, krb5_princ_type(kdc_context, request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL) { setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE); + setflag(c_flags, KRB5_KDB_FLAG_ALIAS_OK); } if (include_pac_p(kdc_context, request)) { setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC); @@ -237,6 +238,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, #endif s_flags = 0; + setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK); if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) { setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE); } diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index eeafa07..2c4514c 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -205,6 +205,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, /* XXX make sure server here has the proper realm...taken from AP_REQ header? */ + setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK); if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) { setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE); setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE); diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c index cb60971..deb7181 100644 --- a/src/lib/kadm5/srv/server_kdb.c +++ b/src/lib/kadm5/srv/server_kdb.c @@ -242,7 +242,8 @@ kdb_get_entry(kadm5_server_handle_t handle, *kdb_ptr = NULL; - ret = krb5_db_get_principal(handle->context, principal, 0, &kdb); + ret = krb5_db_get_principal(handle->context, principal, + KRB5_KDB_FLAG_ALIAS_OK, &kdb); if (ret == KRB5_KDB_NOENTRY) return(KADM5_UNK_PRINC); if (ret) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 9b50eda..27a3a64 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -70,30 +70,6 @@ berval2tl_data(struct berval *in, krb5_tl_data **out) return 0; } -/* Return true if it's okay to return aliases according to flags. */ -static krb5_boolean -aliases_ok(unsigned int flags) -{ - /* - * The current DAL does not have a flag to indicate whether - * aliases are okay. For service name lookups (AS or TGT path), - * we can always return aliases. For client name lookups, we can - * only return aliases if the client passed the canonicalize flag. - * We abuse the CLIENT_REFERRALS_ONLY flag to detect client name - * lookups. - * - * This method has the side effect of permitting aliases for - * lookups by administrative interfaces (e.g. kadmin). Since we - * don't have explicit admin support for aliases yet, this is - * okay. - */ - if (!(flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY)) - return TRUE; - if (flags & KRB5_KDB_FLAG_CANONICALIZE) - return TRUE; - return FALSE; -} - /* * look up a principal in the directory. */ @@ -178,7 +154,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) { if (values[0] && strcmp(values[0], user) != 0) { /* We matched an alias, not the canonical name. */ - if (aliases_ok(flags)) { + if (flags & KRB5_KDB_FLAG_ALIAS_OK) { st = krb5_ldap_parse_principal_name(values[0], &cname); if (st != 0) goto cleanup; |