[Freeipa-devel] Handling of multiple krbPrincipalNames and of krbCanonicalNames
Nathaniel McCallum
npmccallum at redhat.com
Thu May 29 16:30:51 UTC 2014
On Mon, 2013-10-07 at 15:53 -0400, Nalin Dahyabhai wrote:
> Comparing master's ipa-kdb's handling of krbPrincipalName and
> krbCanonicalName attributes with that of the upstream kldap driver,
> there are a few differences which I'm thinking are bugs.
>
> * If an entry has multiple krbPrincipalName values, the name which
> was used to look it up is required to match only the last value of the
> attribute that we read, not any of them.
>
> * If an entry has a krbCanonicalName value, and the name which we used
> to look it up doesn't match it, if database aliases are allowed, we
> return an error instead of using it to populate the returned entry.
>
> I'm attaching patches for both of these, though the second still doesn't
> quite match the behavior of kldap.so, in that we don't preserve the
> requested name if it differs from the canonical name only in case. I
> don't know that it matters, but I'm mentioning here just in case.
0001: ACK
0002: I don't think that matters. If it does, the fix is easy. ACK
Nathaniel
More information about the Freeipa-devel
mailing list