empty principal name used when using server to server sasl for db chaining

https://bugzilla.redhat.com/show_bug.cgi?id=513308
Resolves: bug 513308
Bug Description: empty principal name used when using server to server sasl for db chaining
Reviewed by: nhosoi (Thanks!)
Fix Description: Change the logic to check if the username is a valid principal name.  A valid principal name in this context will be a non-empty string that
does not contain the '=' character (which will be a bind DN in this context).
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no

1 files changed, 6 insertions, 3 deletions

diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index 4ea56143..9c69254f 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -1112,9 +1112,12 @@ cleanup:
 }
 
 static int
-looks_like_a_dn(const char *username)
+looks_like_a_princ_name(const char *name)
 {
-    return (username && strchr(username, '='));
+    /* a valid principal name will be a non-empty string
+       that doesn't have a = in it (which will likely be
+       a bind DN) */
+    return (name && *name && !strchr(name, '='));
 }
 
 static int
@@ -1335,7 +1338,7 @@ set_krb5_creds(
        2) use username
        3) construct one in the form ldap/fqdn@REALM
     */
-    if (!princ && username && !looks_like_a_dn(username) &&
+    if (!princ && looks_like_a_princ_name(username) &&
         (rc = krb5_parse_name(ctx, username, &princ))) {
         slapi_log_error(SLAPI_LOG_FATAL, logname,
                         "Error: could not convert [%s] into a kerberos "