Modify principal selection for keytab authentication

Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781
author: Jan Zeleny <jzeleny@redhat.com> 2011-03-29 02:46:25 -0400
committer: Stephen Gallagher <sgallagh@redhat.com> 2011-04-25 08:06:34 -0400
commit: e81a816cddab4a62f263d1a0274d5d3f101e8e0f (patch)
tree: de3d6baa2ac2d39c4d50d1ce5a911e435dc0e3a9 /src/providers/ldap
parent: d03617ab9106c14b46ab3dc85d5c8ced393da533 (diff)
download: sssd-e81a816cddab4a62f263d1a0274d5d3f101e8e0f.tar.gz
sssd-e81a816cddab4a62f263d1a0274d5d3f101e8e0f.tar.xz
sssd-e81a816cddab4a62f263d1a0274d5d3f101e8e0f.zip
5 files changed, 19 insertions, 6 deletions
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index f4be18571..fb8dd8063 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -196,8 +196,9 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
         }
         hostname[511] = '\0';
 
-        full_princ = talloc_asprintf(memctx, "host/%s@%s",
-                                     hostname, realm_name);
+        ret = select_principal_from_keytab(memctx, hostname, realm_name,
+                                           keytab_name, &full_princ, NULL, NULL);
+        if (ret) goto done;
     }
     if (!full_princ) {
         krberr = KRB5KRB_ERR_GENERIC;
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 39e9b71dc..11c4491f9 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -63,6 +63,7 @@ struct dp_option default_basic_opts[] = {
     { "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_sasl_mech", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     /* use the same parm name as the krb5 module so we set it only once */
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index fce95accc..c06b8a3b7 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -172,6 +172,7 @@ enum sdap_basic_opt {
     SDAP_ID_TLS,
     SDAP_SASL_MECH,
     SDAP_SASL_AUTHID,
+    SDAP_SASL_REALM,
     SDAP_KRB5_KEYTAB,
     SDAP_KRB5_KINIT,
     SDAP_KRB5_KDC,
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index b295c56e9..500e5f886 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -1318,6 +1318,12 @@ static void sdap_cli_kinit_step(struct tevent_req *req)
     struct sdap_cli_connect_state *state = tevent_req_data(req,
                                              struct sdap_cli_connect_state);
     struct tevent_req *subreq;
+    const char *realm;
+
+    realm = dp_opt_get_string(state->opts->basic, SDAP_SASL_REALM);
+    if (!realm) {
+        realm = dp_opt_get_string(state->opts->basic, SDAP_KRB5_REALM);
+    }
 
     subreq = sdap_kinit_send(state, state->ev,
                              state->be,
@@ -1329,8 +1335,7 @@ static void sdap_cli_kinit_step(struct tevent_req *req)
                                                    SDAP_KRB5_KEYTAB),
                         dp_opt_get_string(state->opts->basic,
                                                    SDAP_SASL_AUTHID),
-                        dp_opt_get_string(state->opts->basic,
-                                                   SDAP_KRB5_REALM),
+                        realm,
                         dp_opt_get_int(state->opts->basic,
                                                    SDAP_KRB5_TICKET_LIFETIME));
     if (!subreq) {
diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c
index 5a15e661e..d0f6caeb2 100644
--- a/src/providers/ldap/sdap_child_helpers.c
+++ b/src/providers/ldap/sdap_child_helpers.c
@@ -458,6 +458,12 @@ int setup_child(struct sdap_id_ctx *ctx)
     const char *mech;
     unsigned v;
     FILE *debug_filep;
+    const char *realm;
+
+    realm = dp_opt_get_string(ctx->opts->basic, SDAP_SASL_REALM);
+    if (!realm) {
+        realm = dp_opt_get_string(ctx->opts->basic, SDAP_KRB5_REALM);
+    }
 
     mech = dp_opt_get_string(ctx->opts->basic,
                              SDAP_SASL_MECH);
@@ -468,8 +474,7 @@ int setup_child(struct sdap_id_ctx *ctx)
     if (mech && (strcasecmp(mech, "GSSAPI") == 0)) {
         ret = sss_krb5_verify_keytab(dp_opt_get_string(ctx->opts->basic,
                                                        SDAP_SASL_AUTHID),
-                                     dp_opt_get_string(ctx->opts->basic,
-                                                       SDAP_KRB5_REALM),
+                                     realm,
                                      dp_opt_get_string(ctx->opts->basic,
                                                        SDAP_KRB5_KEYTAB));
author	Jan Zeleny <jzeleny@redhat.com>	2011-03-29 02:46:25 -0400
committer	Stephen Gallagher <sgallagh@redhat.com>	2011-04-25 08:06:34 -0400
commit	e81a816cddab4a62f263d1a0274d5d3f101e8e0f (patch)
tree	de3d6baa2ac2d39c4d50d1ce5a911e435dc0e3a9 /src/providers/ldap
parent	d03617ab9106c14b46ab3dc85d5c8ced393da533 (diff)
download	sssd-e81a816cddab4a62f263d1a0274d5d3f101e8e0f.tar.gz sssd-e81a816cddab4a62f263d1a0274d5d3f101e8e0f.tar.xz sssd-e81a816cddab4a62f263d1a0274d5d3f101e8e0f.zip