[Freeipa-devel] [PATCH PoC] proper support of kerberos principal aliases
David Kupka
dkupka at redhat.com
Wed Sep 9 14:21:22 UTC 2015
On 09/09/15 15:59, Simo Sorce wrote:
> On Wed, 2015-09-09 at 10:52 +0200, Martin Babinsky wrote:
>> if (found) {
>> + /* replace the incoming principal with the value got
>> from LDAP
>> + * search. This is needed so that correctly case
>> principal is
>> + * returned in the case when canonicalization is
>> switched on
>> + * and no krbcanonicalname attribute is present in
>> the entry.
>> + */
>> + free(*principal);
>> + *principal = strdup(vals[i]->bv_val);
>> + if (!(*principal)) {
>> + return KRB5_KDB_INTERNAL_ERROR;
>> + }
>> break;
>
>
> This unconditionally replaces the principal even when canonicalization
> is not requested. Shouldn't this replace be conditional on
> KRB5_KDB_FLAGS_ALIAS_OK being set ?
>
> Simo.
>
It's not obvious from first look but it actually depends on the
KRB5_KDB_FLAGS_ALIAS_OK.
When KRB5_KDB_FLAGS_ALIAS_OK is true the 'found' variable is the result
of case-insensitive comparison.
When it's false 'found' variable is the result of case-sensitive comparison.
In case of case-sensitive match we're replacing the principal with the
exactly same value though effectively not changing it.
--
David Kupka
More information about the Freeipa-devel
mailing list