diff options
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 15 | ||||
-rw-r--r-- | src/plugins/kdb/test/kdb_test.c | 14 |
2 files changed, 11 insertions, 18 deletions
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index ee9c028..564093f 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -189,15 +189,12 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) { if (values[0] && strcmp(values[0], user) != 0) { /* We matched an alias, not the canonical name. */ - if (flags & KRB5_KDB_FLAG_ALIAS_OK) { - st = krb5_ldap_parse_principal_name(values[0], &cname); - if (st != 0) - goto cleanup; - st = krb5_parse_name(context, cname, &cprinc); - if (st != 0) - goto cleanup; - } else /* No canonicalization, so don't return aliases. */ - found = FALSE; + st = krb5_ldap_parse_principal_name(values[0], &cname); + if (st != 0) + goto cleanup; + st = krb5_parse_name(context, cname, &cprinc); + if (st != 0) + goto cleanup; } ldap_value_free(values); if (!found) diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c index 3a1d1ba..69a4663 100644 --- a/src/plugins/kdb/test/kdb_test.c +++ b/src/plugins/kdb/test/kdb_test.c @@ -351,14 +351,12 @@ test_get_principal(krb5_context context, krb5_const_principal search_for, &search_name)); canon = get_string(h, "alias", search_name, NULL); if (canon != NULL) { - if (!(flags & KRB5_KDB_FLAG_ALIAS_OK) && - search_for->type != KRB5_NT_ENTERPRISE_PRINCIPAL) { - ret = KRB5_KDB_NOENTRY; - goto cleanup; - } check(krb5_parse_name(context, canon, &princ)); if (!krb5_realm_compare(context, search_for, princ)) { - if (flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) { + /* Out of realm */ + if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) && + ((flags & KRB5_KDB_FLAG_CANONICALIZE) || + search_for->type == KRB5_NT_ENTERPRISE_PRINCIPAL)) { /* Return a client referral by creating an entry with only the * principal set. */ *entry = ealloc(sizeof(**entry)); @@ -486,9 +484,7 @@ test_get_s4u_x509_principal(krb5_context context, const krb5_data *client_cert, &princ_name)); canon = get_string(h, "alias", princ_name, NULL); krb5_free_unparsed_name(context, princ_name); - if (canon != NULL && - ((flags & KRB5_KDB_FLAG_ALIAS_OK) || - princ->type == KRB5_NT_ENTERPRISE_PRINCIPAL)) { + if (canon != NULL) { check(krb5_parse_name(context, canon, &canon_princ)); match = krb5_principal_compare(context, canon_princ, (*entry)->princ); krb5_free_principal(context, canon_princ); |