From 3eb64f0a5c1968c97af5bfb4718c36b9f824ea8f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 12 Feb 2013 09:44:32 +0100
Subject: ipa-kdb: Read ipaKrbAuthzData with other principal data

The ipaKrbAuthzData LDAP attribute is read together with the other data
of the requestedprincipal and the read value(s) are stored in the e-data
of the entry for later use.

https://fedorahosted.org/freeipa/ticket/2960
---
 daemons/ipa-kdb/ipa_kdb.h            |  1 +
 daemons/ipa-kdb/ipa_kdb_principals.c | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)

(limited to 'daemons/ipa-kdb')

diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 7b1576124..9daaab80d 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -105,6 +105,7 @@ struct ipadb_e_data {
     char **pw_history;
     struct ipapwd_policy *pol;
     time_t last_admin_unlock;
+    char **authz_data;
 };
 
 struct ipadb_context *ipadb_get_context(krb5_context kcontext);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 13f6a21f1..11c155e64 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -63,6 +63,7 @@ static char *std_principal_attrs[] = {
     /* IPA SPECIFIC ATTRIBUTES */
     "nsaccountlock",
     "passwordHistory",
+    IPA_KRB_AUTHZ_DATA_ATTR,
 
     "objectClass",
     NULL
@@ -237,6 +238,7 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
     krb5_kvno mkvno = 0;
     char **restrlist;
     char *restring;
+    char **authz_data_list;
     krb5_timestamp restime;
     bool resbool;
     int result;
@@ -503,6 +505,17 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
         ied->last_admin_unlock = restime;
     }
 
+    ret = ipadb_ldap_attr_to_strlist(lcontext, lentry,
+                                     IPA_KRB_AUTHZ_DATA_ATTR, &authz_data_list);
+    if (ret != 0 && ret != ENOENT) {
+        kerr = KRB5_KDB_INTERNAL_ERROR;
+        goto done;
+    }
+    if (ret == 0) {
+        ied->authz_data = authz_data_list;
+    }
+
+
     kerr = 0;
 
 done:
@@ -831,6 +844,10 @@ void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry)
                     free(ied->pw_history[i]);
                 }
                 free(ied->pw_history);
+                for (i = 0; ied->authz_data && ied->authz_data[i]; i++) {
+                    free(ied->authz_data[i]);
+                }
+                free(ied->authz_data);
                 free(ied->pol);
                 free(ied);
             }
-- 
cgit