summaryrefslogtreecommitdiffstats
path: root/install
diff options
context:
space:
mode:
authorAlexander Bokovoy <abokovoy@redhat.com>2012-03-26 14:23:42 +0300
committerMartin Kosek <mkosek@redhat.com>2012-06-07 09:39:10 +0200
commitcbb1d626b913a7ce802150aa15bda761c9768695 (patch)
tree2a4f05111ec95abce4e7a613749028eec9eae4dc /install
parent27517c2008d040f340fa2b9ace51fba4baea3eef (diff)
downloadfreeipa-cbb1d626b913a7ce802150aa15bda761c9768695.tar.gz
freeipa-cbb1d626b913a7ce802150aa15bda761c9768695.tar.xz
freeipa-cbb1d626b913a7ce802150aa15bda761c9768695.zip
Perform case-insensitive searches for principals on TGS requests
We want to always resolve TGS requests even if the user mistakenly sends a request for a service ticket where the fqdn part contain upper case letters. The actual implementation follows hints set by KDC. When AP_REQ is done, KDC sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests. https://fedorahosted.org/freeipa/ticket/1577
Diffstat (limited to 'install')
-rw-r--r--install/share/61kerberos-ipav3.ldif3
-rw-r--r--install/share/Makefile.am1
-rw-r--r--install/updates/10-60basev3.update2
3 files changed, 6 insertions, 0 deletions
diff --git a/install/share/61kerberos-ipav3.ldif b/install/share/61kerberos-ipav3.ldif
new file mode 100644
index 000000000..dcdaa5d08
--- /dev/null
+++ b/install/share/61kerberos-ipav3.ldif
@@ -0,0 +1,3 @@
+dn: cn=schema
+attributeTypes: (2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DESC 'IPA principal alias' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
+objectClasses: (2.16.840.1.113730.3.8.12.8 NAME 'ipaKrbPrincipal' SUP krbPrincipalAux AUXILIARY MUST ( krbPrincipalName $ ipaKrbPrincipalAlias ) X-ORIGIN 'IPA v3' )
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 81fd0dc15..68c98e05a 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -9,6 +9,7 @@ app_DATA = \
60basev2.ldif \
60basev3.ldif \
60ipadns.ldif \
+ 61kerberos-ipav3.ldif \
65ipasudo.ldif \
anonymous-vlv.ldif \
bootstrap-template.ldif \
diff --git a/install/updates/10-60basev3.update b/install/updates/10-60basev3.update
index 796eb16ff..96d012c14 100644
--- a/install/updates/10-60basev3.update
+++ b/install/updates/10-60basev3.update
@@ -4,3 +4,5 @@ add:attributeTypes: ( 2.16.840.1.113730.3.8.11.21 NAME 'ipaAllowToImpersonate' D
add:attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC 'Target principals alowed to get a ticket for' SUP distinguishedName X-ORIGIN 'IPA-v3')
add:objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $$ ipaAllowedTarget ) X-ORIGIN 'IPA v3' )
+add:attributeTypes: (2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DESC 'IPA principal alias' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
+add:objectClasses: (2.16.840.1.113730.3.8.12.8 NAME 'ipaKrbPrincipal' SUP krbPrincipalAux AUXILIARY MUST ( krbPrincipalName $$ ipaKrbPrincipalAlias ) X-ORIGIN 'IPA v3' )
generated by cgit (git 2.34.1) at 2024-05-21 08:48:09 +0000