2 files changed, 11 insertions, 18 deletions

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index ee9c028..564093f 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -189,15 +189,12 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
             if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) {
                 if (values[0] && strcmp(values[0], user) != 0) {
                     /* We matched an alias, not the canonical name. */
-                    if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
-                        st = krb5_ldap_parse_principal_name(values[0], &cname);
-                        if (st != 0)
-                            goto cleanup;
-                        st = krb5_parse_name(context, cname, &cprinc);
-                        if (st != 0)
-                            goto cleanup;
-                    } else /* No canonicalization, so don't return aliases. */
-                        found = FALSE;
+                    st = krb5_ldap_parse_principal_name(values[0], &cname);
+                    if (st != 0)
+                        goto cleanup;
+                    st = krb5_parse_name(context, cname, &cprinc);
+                    if (st != 0)
+                        goto cleanup;
                 }
                 ldap_value_free(values);
                 if (!found)
diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c
index 3a1d1ba..69a4663 100644
--- a/src/plugins/kdb/test/kdb_test.c
+++ b/src/plugins/kdb/test/kdb_test.c
@@ -351,14 +351,12 @@ test_get_principal(krb5_context context, krb5_const_principal search_for,
                                   &search_name));
     canon = get_string(h, "alias", search_name, NULL);
     if (canon != NULL) {
-        if (!(flags & KRB5_KDB_FLAG_ALIAS_OK) &&
-            search_for->type != KRB5_NT_ENTERPRISE_PRINCIPAL) {
-            ret = KRB5_KDB_NOENTRY;
-            goto cleanup;
-        }
         check(krb5_parse_name(context, canon, &princ));
         if (!krb5_realm_compare(context, search_for, princ)) {
-            if (flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) {
+            /* Out of realm */
+            if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) &&
+                ((flags & KRB5_KDB_FLAG_CANONICALIZE) ||
+                 search_for->type == KRB5_NT_ENTERPRISE_PRINCIPAL)) {
                 /* Return a client referral by creating an entry with only the
                  * principal set. */
                 *entry = ealloc(sizeof(**entry));
@@ -486,9 +484,7 @@ test_get_s4u_x509_principal(krb5_context context, const krb5_data *client_cert,
                                   &princ_name));
     canon = get_string(h, "alias", princ_name, NULL);
     krb5_free_unparsed_name(context, princ_name);
-    if (canon != NULL &&
-        ((flags & KRB5_KDB_FLAG_ALIAS_OK) ||
-         princ->type == KRB5_NT_ENTERPRISE_PRINCIPAL)) {
+    if (canon != NULL) {
         check(krb5_parse_name(context, canon, &canon_princ));
         match = krb5_principal_compare(context, canon_princ, (*entry)->princ);
         krb5_free_principal(context, canon_princ);