summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-06-07 11:28:35 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-06-10 21:03:01 +0200
commit14452cd066b51e32ca0ebad6c45ae909a1debe57 (patch)
tree5c89a40d71008b0b2853b831d937a995e4a424ef
parent7b5e7e539ae9312ab55d75aa94feaad549b2a708 (diff)
downloadsssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.tar.gz
sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.tar.xz
sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.zip
A new option krb5_use_kdcinfo
https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf
-rw-r--r--src/config/SSSDConfig/__init__.py.in1
-rwxr-xr-xsrc/config/SSSDConfigTest.py9
-rw-r--r--src/config/etc/sssd.api.d/sssd-ad.conf1
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf1
-rw-r--r--src/config/etc/sssd.api.d/sssd-krb5.conf1
-rw-r--r--src/config/etc/sssd.api.d/sssd-ldap.conf1
-rw-r--r--src/man/sssd-krb5.5.xml28
-rw-r--r--src/man/sssd-ldap.5.xml28
-rw-r--r--src/providers/ad/ad_common.c39
-rw-r--r--src/providers/ad/ad_opts.h2
-rw-r--r--src/providers/ipa/ipa_common.c35
-rw-r--r--src/providers/ipa/ipa_opts.h2
-rw-r--r--src/providers/krb5/krb5_common.c30
-rw-r--r--src/providers/krb5/krb5_common.h6
-rw-r--r--src/providers/krb5/krb5_init.c17
-rw-r--r--src/providers/krb5/krb5_opts.h1
-rw-r--r--src/providers/ldap/ldap_common.c8
-rw-r--r--src/providers/ldap/ldap_opts.h1
-rw-r--r--src/providers/ldap/sdap.h1
19 files changed, 163 insertions, 49 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index b6e722fc2..4d7629e18 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -165,6 +165,7 @@ option_strings = {
'krb5_backup_server' : _('Kerberos backup server address'),
'krb5_realm' : _('Kerberos realm'),
'krb5_auth_timeout' : _('Authentication timeout'),
+ 'krb5_use_kdcinfo' : _('Whether to create kdcinfo files'),
# [provider/krb5/auth]
'krb5_ccachedir' : _('Directory to store credential caches'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index f44fac727..ca344ad4d 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -614,7 +614,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'krb5_use_fast',
'krb5_fast_principal',
'krb5_canonicalize',
- 'krb5_use_enterprise_principal'])
+ 'krb5_use_enterprise_principal',
+ 'krb5_use_kdcinfo'])
options = domain.list_options()
@@ -773,7 +774,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'krb5_use_fast',
'krb5_fast_principal',
'krb5_canonicalize',
- 'krb5_use_enterprise_principal']
+ 'krb5_use_enterprise_principal',
+ 'krb5_use_kdcinfo']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
@@ -967,7 +969,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'krb5_use_fast',
'krb5_fast_principal',
'krb5_canonicalize',
- 'krb5_use_enterprise_principal'])
+ 'krb5_use_enterprise_principal',
+ 'krb5_use_kdcinfo'])
options = domain.list_options()
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 3be25e8da..120c82752 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -29,6 +29,7 @@ krb5_backup_server = str, None, false
krb5_realm = str, None, false
krb5_auth_timeout = int, None, false
krb5_canonicalize = bool, None, false
+krb5_use_kdcinfo = bool, None, false
ldap_krb5_keytab = str, None, false
ldap_krb5_init_creds = bool, None, false
ldap_entry_usn = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index e6f1bb0a8..8a7e75f2a 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -35,6 +35,7 @@ krb5_server = str, None, false
krb5_backup_server = str, None, false
krb5_realm = str, None, false
krb5_auth_timeout = int, None, false
+krb5_use_kdcinfo = bool, None, false
krb5_kpasswd = str, None, false
krb5_backup_kpasswd = str, None, false
krb5_canonicalize = bool, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf b/src/config/etc/sssd.api.d/sssd-krb5.conf
index 89d16d779..e65ed01b6 100644
--- a/src/config/etc/sssd.api.d/sssd-krb5.conf
+++ b/src/config/etc/sssd.api.d/sssd-krb5.conf
@@ -4,6 +4,7 @@ krb5_server = str, None, false
krb5_backup_server = str, None, false
krb5_realm = str, None, true
krb5_auth_timeout = int, None, false
+krb5_use_kdcinfo = bool, None, false
krb5_kpasswd = str, None, false
krb5_backup_kpasswd = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 14e979da3..870cf20fc 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -21,6 +21,7 @@ krb5_kdcip = str, None, false
krb5_server = str, None, false
krb5_realm = str, None, false
krb5_canonicalize = bool, None, false
+krb5_use_kdcinfo = bool, None, false
ldap_krb5_keytab = str, None, false
ldap_krb5_init_creds = bool, None, false
ldap_entry_usn = str, None, false
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index 731d77254..906aee096 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -452,6 +452,34 @@
</varlistentry>
<varlistentry>
+ <term>krb5_use_kdcinfo (boolean)</term>
+ <listitem>
+ <para>
+ Specifies if the SSSD should be instructing the Kerberos
+ libraries what realm and which KDCs to use. This option
+ is on by default, if you disable it, you need to configure
+ the Kerberos library using the
+ <citerefentry>
+ <refentrytitle>krb5.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ configuration file.
+ </para>
+ <para>
+ See the
+ <citerefentry>
+ <refentrytitle>sssd_krb5_locator_plugin</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ manual page for more information on the locator plugin.
+ </para>
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>krb5_use_enterprise_principal (boolean)</term>
<listitem>
<para>
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 97b5fdc57..9cd594c7b 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1589,6 +1589,34 @@
</varlistentry>
<varlistentry>
+ <term>krb5_use_kdcinfo (boolean)</term>
+ <listitem>
+ <para>
+ Specifies if the SSSD should be instructing the Kerberos
+ libraries what realm and which KDCs to use. This option
+ is on by default, if you disable it, you need to configure
+ the Kerberos library using the
+ <citerefentry>
+ <refentrytitle>krb5.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ configuration file.
+ </para>
+ <para>
+ See the
+ <citerefentry>
+ <refentrytitle>sssd_krb5_locator_plugin</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ manual page for more information on the locator plugin.
+ </para>
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_pwd_policy (string)</term>
<listitem>
<para>
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index ea124d96d..1aad85de3 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -531,21 +531,23 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
goto done;
}
- /* Write krb5 info files */
- safe_address = sss_escape_ip_address(tmp_ctx,
- srvaddr->family,
- address);
- if (safe_address == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("sss_escape_ip_address failed.\n"));
- ret = ENOMEM;
- goto done;
- }
+ if (service->krb5_service->write_kdcinfo) {
+ /* Write krb5 info files */
+ safe_address = sss_escape_ip_address(tmp_ctx,
+ srvaddr->family,
+ address);
+ if (safe_address == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("sss_escape_ip_address failed.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
- ret = write_krb5info_file(service->krb5_service->realm, safe_address,
- SSS_KRB5KDC_FO_SRV);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("write_krb5info_file failed, authentication might fail.\n"));
+ ret = write_krb5info_file(service->krb5_service->realm, safe_address,
+ SSS_KRB5KDC_FO_SRV);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("write_krb5info_file failed, authentication might fail.\n"));
+ }
}
ret = EOK;
@@ -846,6 +848,15 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
krb5_options[KRB5_REALM].opt_name,
krb5_realm));
+ /* Set flag that controls whether we want to write the
+ * kdcinfo files at all
+ */
+ ad_opts->service->krb5_service->write_kdcinfo = \
+ dp_opt_get_bool(krb5_options, KRB5_USE_KDCINFO);
+ DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n",
+ ad_opts->auth[KRB5_USE_KDCINFO].opt_name,
+ ad_opts->service->krb5_service->write_kdcinfo ? "true" : "false"));
+
*_opts = talloc_steal(mem_ctx, krb5_options);
ret = EOK;
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 218614dca..ba03c2329 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -88,6 +88,7 @@ struct dp_option ad_def_ldap_opts[] = {
{ "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING },
{ "ldap_referrals", DP_OPT_BOOL, BOOL_FALSE, BOOL_TRUE },
{ "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
@@ -145,6 +146,7 @@ struct dp_option ad_def_krb5_opts[] = {
{ "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 76da6c1e1..671374098 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -664,6 +664,15 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts,
dp_opt_get_string(ipa_opts->auth, KRB5_REALM)));
}
+ /* Set flag that controls whether we want to write the
+ * kdcinfo files at all
+ */
+ ipa_opts->service->krb5_service->write_kdcinfo = \
+ dp_opt_get_bool(ipa_opts->auth, KRB5_USE_KDCINFO);
+ DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n",
+ ipa_opts->auth[KRB5_USE_KDCINFO].opt_name,
+ ipa_opts->service->krb5_service->write_kdcinfo ? "true" : "false"));
+
*_opts = ipa_opts->auth;
ret = EOK;
@@ -743,19 +752,21 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
talloc_zfree(service->sdap->sockaddr);
service->sdap->sockaddr = talloc_steal(service, sockaddr);
- safe_address = sss_escape_ip_address(tmp_ctx,
- srvaddr->family,
- address);
- if (safe_address == NULL) {
- DEBUG(1, ("sss_escape_ip_address failed.\n"));
- talloc_free(tmp_ctx);
- return;
- }
+ if (service->krb5_service->write_kdcinfo) {
+ safe_address = sss_escape_ip_address(tmp_ctx,
+ srvaddr->family,
+ address);
+ if (safe_address == NULL) {
+ DEBUG(1, ("sss_escape_ip_address failed.\n"));
+ talloc_free(tmp_ctx);
+ return;
+ }
- ret = write_krb5info_file(service->krb5_service->realm, safe_address,
- SSS_KRB5KDC_FO_SRV);
- if (ret != EOK) {
- DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n"));
+ ret = write_krb5info_file(service->krb5_service->realm, safe_address,
+ SSS_KRB5KDC_FO_SRV);
+ if (ret != EOK) {
+ DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n"));
+ }
}
talloc_free(tmp_ctx);
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 4dfa72db4..fe81ed115 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -112,6 +112,7 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING },
{ "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
@@ -274,6 +275,7 @@ struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index e60e6e0ef..9db14b8a6 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -452,18 +452,20 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
return;
}
- safe_address = talloc_asprintf_append(safe_address, ":%d",
- fo_get_server_port(server));
- if (safe_address == NULL) {
- DEBUG(1, ("talloc_asprintf_append failed.\n"));
- talloc_free(tmp_ctx);
- return;
- }
+ if (krb5_service->write_kdcinfo) {
+ safe_address = talloc_asprintf_append(safe_address, ":%d",
+ fo_get_server_port(server));
+ if (safe_address == NULL) {
+ DEBUG(1, ("talloc_asprintf_append failed.\n"));
+ talloc_free(tmp_ctx);
+ return;
+ }
- ret = write_krb5info_file(krb5_service->realm, safe_address,
- krb5_service->name);
- if (ret != EOK) {
- DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n"));
+ ret = write_krb5info_file(krb5_service->realm, safe_address,
+ krb5_service->name);
+ if (ret != EOK) {
+ DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n"));
+ }
}
talloc_free(tmp_ctx);
@@ -620,7 +622,9 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
const char *service_name,
const char *primary_servers,
const char *backup_servers,
- const char *realm, struct krb5_service **_service)
+ const char *realm,
+ bool use_kdcinfo,
+ struct krb5_service **_service)
{
TALLOC_CTX *tmp_ctx;
struct krb5_service *service;
@@ -655,6 +659,8 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
goto done;
}
+ service->write_kdcinfo = use_kdcinfo;
+
if (!primary_servers) {
DEBUG(SSSDBG_CONF_SETTINGS,
("No primary servers defined, using service discovery\n"));
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 85049360d..eb563888c 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -66,6 +66,7 @@ enum krb5_opts {
KRB5_FAST_PRINCIPAL,
KRB5_CANONICALIZE,
KRB5_USE_ENTERPRISE_PRINCIPAL,
+ KRB5_USE_KDCINFO,
KRB5_OPTS
};
@@ -82,6 +83,7 @@ struct tgt_times {
struct krb5_service {
char *name;
char *realm;
+ bool write_kdcinfo;
};
struct fo_service;
@@ -153,7 +155,9 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
const char *service_name,
const char *primary_servers,
const char *backup_servers,
- const char *realm, struct krb5_service **_service);
+ const char *realm,
+ bool use_kdcinfo,
+ struct krb5_service **_service);
void remove_krb5_info_files_callback(void *pvt);
diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c
index 1821d5b34..c6ec496e5 100644
--- a/src/providers/krb5/krb5_init.c
+++ b/src/providers/krb5/krb5_init.c
@@ -108,8 +108,12 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
return EINVAL;
}
- ret = krb5_service_init(ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers,
- krb5_backup_servers, krb5_realm, &ctx->service);
+ ret = krb5_service_init(ctx, bectx,
+ SSS_KRB5KDC_FO_SRV, krb5_servers,
+ krb5_backup_servers, krb5_realm,
+ dp_opt_get_bool(krb5_options->opts,
+ KRB5_USE_KDCINFO),
+ &ctx->service);
if (ret != EOK) {
DEBUG(0, ("Failed to init KRB5 failover service!\n"));
return ret;
@@ -130,9 +134,12 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
"will use KDC for pasword change operations!\n"));
ctx->kpasswd_service = NULL;
} else {
- ret = krb5_service_init(ctx, bectx, SSS_KRB5KPASSWD_FO_SRV,
- krb5_kpasswd_servers, krb5_backup_kpasswd_servers,
- krb5_realm, &ctx->kpasswd_service);
+ ret = krb5_service_init(ctx, bectx,
+ SSS_KRB5KPASSWD_FO_SRV, krb5_kpasswd_servers,
+ krb5_backup_kpasswd_servers, krb5_realm,
+ dp_opt_get_bool(krb5_options->opts,
+ KRB5_USE_KDCINFO),
+ &ctx->kpasswd_service);
if (ret != EOK) {
DEBUG(0, ("Failed to init KRB5KPASSWD failover service!\n"));
return ret;
diff --git a/src/providers/krb5/krb5_opts.h b/src/providers/krb5/krb5_opts.h
index c8e64782e..400b7e338 100644
--- a/src/providers/krb5/krb5_opts.h
+++ b/src/providers/krb5/krb5_opts.h
@@ -44,6 +44,7 @@ struct dp_option default_krb5_opts[] = {
{ "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index fd6f05def..96edd3362 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -1269,8 +1269,12 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx,
}
}
- ret = krb5_service_init(mem_ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers,
- krb5_backup_servers, krb5_realm, &service);
+ ret = krb5_service_init(mem_ctx, bectx,
+ SSS_KRB5KDC_FO_SRV, krb5_servers,
+ krb5_backup_servers, krb5_realm,
+ dp_opt_get_bool(opts,
+ SDAP_KRB5_USE_KDCINFO),
+ &service);
if (ret != EOK) {
DEBUG(0, ("Failed to init KRB5 failover service!\n"));
goto done;
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 807716c18..6857d4ca8 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -79,6 +79,7 @@ struct dp_option default_basic_opts[] = {
{ "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING },
{ "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index f77636b3c..6f10efa4b 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -186,6 +186,7 @@ enum sdap_basic_opt {
SDAP_KRB5_BACKUP_KDC,
SDAP_KRB5_REALM,
SDAP_KRB5_CANONICALIZE,
+ SDAP_KRB5_USE_KDCINFO,
SDAP_PWD_POLICY,
SDAP_REFERRALS,
SDAP_ACCOUNT_CACHE_EXPIRATION,