summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2012-11-19 17:34:56 +0100
committerJakub Hrozek <jhrozek@redhat.com>2012-11-20 08:19:47 +0100
commit7df5fd383ed1f1b26c0a9a0071d6e4fc612550e7 (patch)
treec6b9bb69ac48e65f6413f4057aa5498d14afd876
parente02bfe598789636ad2625809174069fab3a57705 (diff)
downloadsssd-7df5fd383ed1f1b26c0a9a0071d6e4fc612550e7.tar.gz
sssd-7df5fd383ed1f1b26c0a9a0071d6e4fc612550e7.tar.xz
sssd-7df5fd383ed1f1b26c0a9a0071d6e4fc612550e7.zip
LDAP: Make it possible to use full principal in ldap_sasl_authid again
-rw-r--r--src/man/sssd-ldap.5.xml5
-rw-r--r--src/providers/ldap/ldap_common.c20
2 files changed, 21 insertions, 4 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 2d62c11f2..b1be45fe2 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1418,6 +1418,9 @@
Specify the SASL authorization id to use.
When GSSAPI is used, this represents the Kerberos
principal used for authentication to the directory.
+ This option can either contain the full principal (for
+ example host/myhost@EXAMPLE.COM) or just the principal name
+ (for example host/myhost).
</para>
<para>
Default: host/hostname@REALM
@@ -1431,6 +1434,8 @@
<para>
Specify the SASL realm to use. When not specified,
this option defaults to the value of krb5_realm.
+ If the ldap_sasl_authid contains the realm as well,
+ this option is ignored.
</para>
<para>
Default: the value of krb5_realm.
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 516ba179d..f8b921adf 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -1009,6 +1009,7 @@ sdap_set_sasl_options(struct sdap_options *id_opts,
TALLOC_CTX *tmp_ctx;
char *sasl_primary;
char *desired_primary;
+ char *primary_realm;
char *sasl_realm;
char *desired_realm;
bool primary_requested = true;
@@ -1024,12 +1025,23 @@ sdap_set_sasl_options(struct sdap_options *id_opts,
desired_primary = default_primary;
}
- desired_realm = dp_opt_get_string(id_opts->basic, SDAP_SASL_REALM);
- if (!desired_realm) {
- realm_requested = false;
- desired_realm = default_realm;
+ if ((primary_realm = strchr(desired_primary, '@'))) {
+ *primary_realm = '\0';
+ desired_realm = primary_realm+1;
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ ("authid contains realm [%s]\n", desired_realm));
+ } else {
+ desired_realm = dp_opt_get_string(id_opts->basic, SDAP_SASL_REALM);
+ if (!desired_realm) {
+ realm_requested = false;
+ desired_realm = default_realm;
+ }
}
+ DEBUG(SSSDBG_CONF_SETTINGS, ("Will look for %s@%s in %s\n",
+ desired_primary, desired_realm,
+ keytab_path ? keytab_path : "default keytab"));
+
ret = select_principal_from_keytab(tmp_ctx,
desired_primary, desired_realm,
keytab_path,