[Freeipa-devel] fixing Kerberos principal aliases handling in IPA

[Martin Babinsky]

Hi list,

I own the following ticket https://fedorahosted.org/freeipa/ticket/3864 
and I would like to clarify what needs to be done in order to make IPA 
to fully support multiple aliases per entry.

So far I have identified these task based on the ticket comments and 
discussion with Simo way back in the past:

1.) mark 'ipaKrbPrincipalAlias' attribute as deprecated so that it is 
not used in the new code.

2.) fix ACIs that do not permit setting multiple values of 
'krbPrincipalName' attribute per entry (see 
https://fedorahosted.org/freeipa/ticket/3961)

3.) Modify KDB backend (namely 'ipadb_fetch_principal' and 
'ipadb_find_principal' functions) to correctly perform lookup of 
krbprincipalname/krbcanonicalname, i.e. search krbprincipalname 
case-insensitively and krbcanonicalname case-sensitively, return 
krbcanonicalname when canonicalization is requested.

4.) Modify KDB backend and IPA framework to handle creation of both 
krbprincipalname and krbcanonicalname. I am not quite sure what cases 
should be covered here (I remember that we should create 
krbcanonicalname when we add another aliases to krbprincipalname), so it 
would be nice if you could comment on this.

5.) write tests which cover all this stuff so that we don't shoot 
ourselves in the foot.

I am not very well versed in Kerberos so I might get some of this stuff 
wrong. If that's the case please point me to the right direction. Also 
please write me some additional stuff which I have fogot and needs to be 
done.

-- 
Martin^3 Babinsky