diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2012-03-26 14:23:42 +0300 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-06-07 09:39:10 +0200 |
| commit | cbb1d626b913a7ce802150aa15bda761c9768695 (patch) | |
| tree | 2a4f05111ec95abce4e7a613749028eec9eae4dc /ipalib | |
| parent | 27517c2008d040f340fa2b9ace51fba4baea3eef (diff) | |
| download | freeipa-cbb1d626b913a7ce802150aa15bda761c9768695.tar.gz freeipa-cbb1d626b913a7ce802150aa15bda761c9768695.tar.xz freeipa-cbb1d626b913a7ce802150aa15bda761c9768695.zip | |
Perform case-insensitive searches for principals on TGS requests
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.
The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.
https://fedorahosted.org/freeipa/ticket/1577
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/service.py | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 24a0a0f87..60035bf6d 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -221,7 +221,7 @@ class service(LDAPObject): object_name_plural = _('services') object_class = [ 'krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject', - 'ipaservice', 'pkiuser' + 'ipaservice', 'pkiuser', 'ipakrbprincipal' ] search_attributes = ['krbprincipalname', 'managedby'] default_attributes = ['krbprincipalname', 'usercertificate', 'managedby'] @@ -293,6 +293,11 @@ class service_add(LDAPCreate): if not 'managedby' in entry_attrs: entry_attrs['managedby'] = hostresult['dn'] + # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches + # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos + # schema + entry_attrs['ipakrbprincipalalias'] = keys[-1] + return dn api.register(service_add) |