[Freeipa-devel] [PATCH PoC] proper support of kerberos principal aliases
Simo Sorce
simo at redhat.com
Wed Sep 9 13:59:17 UTC 2015
On Wed, 2015-09-09 at 10:52 +0200, Martin Babinsky wrote:
> if (found) {
> + /* replace the incoming principal with the value got
> from LDAP
> + * search. This is needed so that correctly case
> principal is
> + * returned in the case when canonicalization is
> switched on
> + * and no krbcanonicalname attribute is present in
> the entry.
> + */
> + free(*principal);
> + *principal = strdup(vals[i]->bv_val);
> + if (!(*principal)) {
> + return KRB5_KDB_INTERNAL_ERROR;
> + }
> break;
This unconditionally replaces the principal even when canonicalization
is not requested. Shouldn't this replace be conditional on
KRB5_KDB_FLAGS_ALIAS_OK being set ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list