From b769d1c18678b5eede7505dec7938f6836070044 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <nathaniel@themccallums.org>
Date: Tue, 12 Nov 2013 10:52:51 -0500
Subject: Add support to ipa-kdb for keyless principals

https://fedorahosted.org/freeipa/ticket/3779

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 18 ++++++++++++++++++
 util/ipa_krb5.c                      |  3 +++
 2 files changed, 21 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 8a8d67bb1..f0be76ea7 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1385,8 +1385,26 @@ static krb5_error_code ipadb_get_ldap_mod_key_data(struct ipadb_mods *imods,
 {
     krb5_error_code kerr;
     struct berval *bval = NULL;
+    LDAPMod *mod;
     int ret;
 
+    /* If the key data is empty, remove all keys. */
+    if (n_key_data == 0 || key_data == NULL) {
+        kerr = ipadb_mods_new(imods, &mod);
+        if (kerr != 0)
+            return kerr;
+
+        mod->mod_op = LDAP_MOD_DELETE;
+        mod->mod_bvalues = NULL;
+        mod->mod_type = strdup("krbPrincipalKey");
+        if (mod->mod_type == NULL) {
+            ipadb_mods_free_tip(imods);
+            return ENOMEM;
+        }
+
+        return 0;
+    }
+
     ret = ber_encode_krb5_key_data(key_data, n_key_data, mkvno, &bval);
     if (ret != 0) {
         kerr = ret;
diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
index 934fd27d8..cc84f9920 100644
--- a/util/ipa_krb5.c
+++ b/util/ipa_krb5.c
@@ -296,6 +296,9 @@ void ipa_krb5_free_key_data(krb5_key_data *keys, int num_keys)
 {
     int i;
 
+    if (keys == NULL)
+        return;
+
     for (i = 0; i < num_keys; i++) {
         /* try to wipe key from memory,
          * hopefully the compiler will not optimize it away */
-- 
cgit