[Freeipa-devel] [PATCH] 0001 ipa_kdb add krbPrincipalAuthInd handling

Tue Apr 26 13:03:53 UTC 2016

On Thu, Apr 14, 2016 at 12:59:55PM -0400, Matt Rogers wrote:
> 
> 
> ----- Original Message -----
> > From: "Nathaniel McCallum" <npmccallum at redhat.com>
> > To: "Matt Rogers" <mrogers at redhat.com>, freeipa-devel at redhat.com
> > Sent: Thursday, April 14, 2016 10:32:15 AM
> > Subject: Re: [Freeipa-devel] [PATCH] 0001 ipa_kdb add krbPrincipalAuthInd handling
> > 
> > On Mon, 2016-04-11 at 10:41 -0400, Matt Rogers wrote:
> > > Hi,
> > > 
> > > The attached patch is a part of the authentication indicator
> > > enhancements,
> > > adding indicator value storage and retrieval for the KDB driver.
> > > 
> > > https://fedorahosted.org/freeipa/ticket/5782
> > 
> > Can you add some whitespace in next_attr()? The density of the code
> > there hurts readability.
> > 
> Sure, I've attached the revised patch.

Hi Matt,

thank you for the patch. Currently I have the following question.

You call krb5_dbe_set_string to remove the 'require_auth' data before
calling ipadb_get_ldap_mod_extra_data()

> +        /* Delete authinds from tl_data so it is not included in krbExtraData. */
> +        kerr = krb5_dbe_set_string(kcontext, entry, "require_auth", NULL);
> +        if (kerr) {
> +            goto done;
> +        }
> +
>          kerr = ipadb_get_ldap_mod_extra_data(imods,
>                                               entry->tl_data,
>                                               mod_op);
> 

Why it is needed to filter this data again in
ipadb_get_ldap_mod_extra_data()?

> +
>  static krb5_error_code ipadb_get_ldap_mod_extra_data(struct ipadb_mods *imods,
>                                                       krb5_tl_data *tl_data,
>                                                       int mod_op)
>  {
>      krb5_error_code kerr;
>      krb5_tl_data *data;
> +    krb5_tl_data *data_tmp = NULL;
>      struct berval **bvs = NULL;
>      krb5_int16 be_type;
>      int n, i;
> @@ -1463,6 +1663,20 @@ static krb5_error_code ipadb_get_ldap_mod_extra_data(struct ipadb_mods *imods,
>              continue;
>          }
>  
> +        /* Exclude any auth indicators from krbExtraData */
> +        kerr = filter_authind_str_attrs(data, &data_tmp);
> +        if (kerr) {
> +            goto done;
> +        }
> +        if (data_tmp != NULL) {
> +            if (data_tmp->tl_data_contents == NULL) {
> +                free(data_tmp);
> +                data_tmp = NULL;
> +                continue;
> +            }
> +            data = data_tmp;
> +        }
> +
>          be_type = htons(data->tl_data_type);
>  
>          bvs[i] = calloc(1, sizeof(struct berval));

bye,
Sumit