[Freeipa-devel] Handling of multiple krbPrincipalNames and of krbCanonicalNames
Petr Viktorin
pviktori at redhat.com
Fri May 30 07:50:27 UTC 2014
On 05/29/2014 06:30 PM, Nathaniel McCallum wrote:
> On Mon, 2013-10-07 at 15:53 -0400, Nalin Dahyabhai wrote:
>> Comparing master's ipa-kdb's handling of krbPrincipalName and
>> krbCanonicalName attributes with that of the upstream kldap driver,
>> there are a few differences which I'm thinking are bugs.
>>
>> * If an entry has multiple krbPrincipalName values, the name which
>> was used to look it up is required to match only the last value of the
>> attribute that we read, not any of them.
>>
>> * If an entry has a krbCanonicalName value, and the name which we used
>> to look it up doesn't match it, if database aliases are allowed, we
>> return an error instead of using it to populate the returned entry.
>>
>> I'm attaching patches for both of these, though the second still doesn't
>> quite match the behavior of kldap.so, in that we don't preserve the
>> requested name if it differs from the canonical name only in case. I
>> don't know that it matters, but I'm mentioning here just in case.
>
> 0001: ACK
>
> 0002: I don't think that matters. If it does, the fix is easy. ACK
>
> Nathaniel
Added link to ticket and pushed to master:
16092c39073e6512e897dc671fd22b2b583ea5b5
--
Petr³
More information about the Freeipa-devel
mailing list