[Freeipa-devel] [PATCH] bynd-dyndb-ldap: Add separate keytab principal option
Zoran Pericic
zpericic at inet.hr
Fri Dec 17 17:15:22 UTC 2010
On 12/16/2010 08:25 PM, Simo Sorce wrote:
>> + (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) {
>> + if((ldap_inst->krb5_principal == NULL)&&
>> + (str_len(ldap_inst->krb5_principal) == 0)) {
>> + if((ldap_inst->sasl_user == NULL)&&
>> + (str_len(ldap_inst->sasl_user) == 0)) {
> the above 2 statements seem wrong to me, the original one had:
> if ((cond 1) || (cond 2)) {
> while you changed it into:
> if ((cond 1)&& (cond 2)) {
> This fails to do the check that is intended.
You are right. This is bug.
>> + char hostname[255];
>> + if(gethostname(hostname, 255) != 0) {
>> + log_error("SASL mech GSSAPI defined but
>> krb5_principal and sasl_user are empty. Could not get hostname");
>> + result = ISC_R_FAILURE;
>> + goto cleanup;
>> + } else {
>> + str_sprintf(ldap_inst->krb5_principal, "dns/%s",
>> hostname);
> This should probably be "DNS/%s", Kerberos is generally case sensitive
> and t5he default for bind is to use the service name part in all caps.
ACK.
Best regards,
Zoran Pericic
---
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 5eed8afba7a275a6ebb3a28c707639516ba9af41..d767571daa8e747833d598876541996280544916 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -128,6 +128,7 @@ struct ldap_instance {
ldap_auth_t auth_method;
ld_string_t *bind_dn;
ld_string_t *password;
+ ld_string_t *krb5_principal;
ld_string_t *sasl_mech;
ld_string_t *sasl_user;
ld_string_t *sasl_auth_name;
@@ -293,6 +294,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name,
{ "auth_method", default_string("none") },
{ "bind_dn", default_string("") },
{ "password", default_string("") },
+ { "krb5_principal", default_string("") },
{ "sasl_mech", default_string("GSSAPI") },
{ "sasl_user", default_string("") },
{ "sasl_auth_name", default_string("") },
@@ -330,6 +332,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name,
CHECK(str_new(mctx,&ldap_inst->base));
CHECK(str_new(mctx,&ldap_inst->bind_dn));
CHECK(str_new(mctx,&ldap_inst->password));
+ CHECK(str_new(mctx,&ldap_inst->krb5_principal));
CHECK(str_new(mctx,&ldap_inst->sasl_mech));
CHECK(str_new(mctx,&ldap_inst->sasl_user));
CHECK(str_new(mctx,&ldap_inst->sasl_auth_name));
@@ -346,6 +349,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name,
ldap_settings[i++].target = auth_method_str;
ldap_settings[i++].target = ldap_inst->bind_dn;
ldap_settings[i++].target = ldap_inst->password;
+ ldap_settings[i++].target = ldap_inst->krb5_principal;
ldap_settings[i++].target = ldap_inst->sasl_mech;
ldap_settings[i++].target = ldap_inst->sasl_user;
ldap_settings[i++].target = ldap_inst->sasl_auth_name;
@@ -381,12 +385,26 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name,
/* check we have the right data when SASL/GSSAPI is selected */
if ((ldap_inst->auth_method == AUTH_SASL)&&
- (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) {
- if ((ldap_inst->sasl_user == NULL) ||
- (str_len(ldap_inst->sasl_user) == 0)) {
- log_error("Sasl mech GSSAPI defined but sasl_user is empty");
- result = ISC_R_FAILURE;
- goto cleanup;
+ (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) {
+ if ((ldap_inst->krb5_principal == NULL) ||
+ (str_len(ldap_inst->krb5_principal) == 0)) {
+ if ((ldap_inst->sasl_user == NULL) ||
+ (str_len(ldap_inst->sasl_user) == 0)) {
+ char hostname[255];
+ if (gethostname(hostname, 255) != 0) {
+ log_error("SASL mech GSSAPI defined but krb5_principal"
+ "and sasl_user are empty. Could not get hostname");
+ result = ISC_R_FAILURE;
+ goto cleanup;
+ } else {
+ str_sprintf(ldap_inst->krb5_principal, "DNS/%s", hostname);
+ log_debug(2, "SASL mech GSSAPI defined but krb5_principal"
+ "and sasl_user are empty, using default %s",
+ str_buf(ldap_inst->krb5_principal));
+ }
+ } else {
+ str_copy(ldap_inst->krb5_principal, ldap_inst->sasl_user);
+ }
}
}
@@ -447,6 +465,7 @@ destroy_ldap_instance(ldap_instance_t **ldap_instp)
str_destroy(&ldap_inst->base);
str_destroy(&ldap_inst->bind_dn);
str_destroy(&ldap_inst->password);
+ str_destroy(&ldap_inst->krb5_principal);
str_destroy(&ldap_inst->sasl_mech);
str_destroy(&ldap_inst->sasl_user);
str_destroy(&ldap_inst->sasl_auth_name);
@@ -1618,7 +1637,7 @@ ldap_reconnect(ldap_connection_t *ldap_conn)
isc_result_t result;
LOCK(&ldap_inst->kinit_lock);
result = get_krb5_tgt(ldap_inst->mctx,
- str_buf(ldap_inst->sasl_user),
+ str_buf(ldap_inst->krb5_principal),
str_buf(ldap_inst->krb5_keytab));
UNLOCK(&ldap_inst->kinit_lock);
if (result != ISC_R_SUCCESS)
More information about the Freeipa-devel
mailing list