diff options
author | Simo Sorce <ssorce@redhat.com> | 2012-02-28 10:47:18 -0500 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2012-02-28 13:03:22 -0500 |
commit | 372d67ae81403cb919e3617563e8950e711623a1 (patch) | |
tree | 4e3035648d77a6a8db0a2c58293a1d9d7820d6ca /daemons/ipa-kdb | |
parent | 33c29033c84cef47bc1c80f6fbbdd585254872ce (diff) | |
download | freeipa-372d67ae81403cb919e3617563e8950e711623a1.tar.gz freeipa-372d67ae81403cb919e3617563e8950e711623a1.tar.xz freeipa-372d67ae81403cb919e3617563e8950e711623a1.zip |
ipa-kdb: fix delegation acl check
We need to check for a matching acl only if one match hasn't already been
found, otherwise results are unpredictable and order dependent.
Diffstat (limited to 'daemons/ipa-kdb')
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_delegation.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_delegation.c b/daemons/ipa-kdb/ipa_kdb_delegation.c index 579a9f315..5ae5e0d9d 100644 --- a/daemons/ipa-kdb/ipa_kdb_delegation.c +++ b/daemons/ipa-kdb/ipa_kdb_delegation.c @@ -140,7 +140,8 @@ static krb5_error_code ipadb_match_acl(krb5_context kcontext, switch (ret) { case 0: for (dres = deref_results; dres; dres = dres->next) { - if (strcasecmp(dres->derefAttr, "ipaAllowToImpersonate") == 0) { + if (client_found == false && + strcasecmp(dres->derefAttr, "ipaAllowToImpersonate") == 0) { /* NOTE: client_missing is used to signal that the * attribute was completely missing. This signals that * ANY client is allowed to be impersonated. @@ -148,7 +149,8 @@ static krb5_error_code ipadb_match_acl(krb5_context kcontext, client_missing = false; client_found = ipadb_match_member(client_princ, dres); } - if (strcasecmp(dres->derefAttr, "ipaAllowedTarget") == 0) { + if (target_found == false && + strcasecmp(dres->derefAttr, "ipaAllowedTarget") == 0) { target_found = ipadb_match_member(target_princ, dres); } } |