Support to request canonicalization in LDAP/IPA provider

https://fedorahosted.org/sssd/ticket/957
author: Jan Zeleny <jzeleny@redhat.com> 2011-11-01 10:19:04 -0400
committer: Stephen Gallagher <sgallagh@redhat.com> 2011-11-02 14:10:31 -0400
commit: ed80a7f8ff76089bdcfae7007dbdef42d05e2cc8 (patch)
tree: d2033a77c277be1c49cba8ff54e4d3d7070721d0 /src/providers
parent: 7dfc7617085c403d30debe9f08d4c9bcca322744 (diff)
download: sssd-ed80a7f8ff76089bdcfae7007dbdef42d05e2cc8.tar.gz
sssd-ed80a7f8ff76089bdcfae7007dbdef42d05e2cc8.tar.xz
sssd-ed80a7f8ff76089bdcfae7007dbdef42d05e2cc8.zip
7 files changed, 28 insertions, 1 deletions
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index b68c72b49..8f9d5d779 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -78,6 +78,7 @@ struct dp_option ipa_def_ldap_opts[] = {
     /* use the same parm name as the krb5 module so we set it only once */
     { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING },
     { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 20074b45b..40c5e5320 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -35,7 +35,7 @@ struct ipa_service {
 /* the following defines are used to keep track of the options in the ldap
  * module, so that if they change and ipa is not updated correspondingly
  * this will trigger a runtime abort error */
-#define IPA_OPTS_BASIC_TEST 52
+#define IPA_OPTS_BASIC_TEST 53
 
 /* the following define is used to keep track of the options in the krb5
  * module, so that if they change and ipa is not updated correspondingly
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index b0051fa91..02c7e5573 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -139,6 +139,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
     char *realm_name = NULL;
     char *full_princ = NULL;
     char *default_realm = NULL;
+    char *tmp_str = NULL;
     krb5_context context = NULL;
     krb5_keytab keytab = NULL;
     krb5_ccache ccache = NULL;
@@ -147,6 +148,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
     krb5_get_init_creds_opt options;
     krb5_error_code krberr;
     krb5_timestamp kdc_time_offset;
+    int canonicalize = 0;
     int kdc_time_offset_usec;
     int ret;
 
@@ -253,6 +255,12 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
     krb5_get_init_creds_opt_set_proxiable(&options, 0);
     krb5_get_init_creds_opt_set_tkt_life(&options, lifetime);
 
+    tmp_str = getenv("KRB5_CANONICALIZE");
+    if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
+        canonicalize = 1;
+    }
+    sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
+
     krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
                                         keytab, 0, NULL, &options);
 
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 8f5b8ac4f..9e2c2a4ae 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -69,6 +69,7 @@ struct dp_option default_basic_opts[] = {
     /* use the same parm name as the krb5 module so we set it only once */
     { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING },
     { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 1ea57082f..b32560a8f 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -183,6 +183,7 @@ enum sdap_basic_opt {
     SDAP_KRB5_KINIT,
     SDAP_KRB5_KDC,
     SDAP_KRB5_REALM,
+    SDAP_KRB5_CANONICALIZE,
     SDAP_PWD_POLICY,
     SDAP_REFERRALS,
     SDAP_ACCOUNT_CACHE_EXPIRATION,
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index e628c7daa..5da2cff4e 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -92,6 +92,7 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx,
                                    const char *keytab,
                                    const char *principal,
                                    const char *realm,
+                                   bool canonicalize,
                                    int lifetime);
 
 int sdap_kinit_recv(struct tevent_req *req,
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index c69b9bce0..076e7ee37 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -784,6 +784,7 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx,
                                    const char *keytab,
                                    const char *principal,
                                    const char *realm,
+                                   bool canonicalize,
                                    int lifetime)
 {
     struct tevent_req *req;
@@ -821,6 +822,18 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx,
         }
     }
 
+    if (canonicalize) {
+        ret = setenv("KRB5_CANONICALIZE", "true", 1);
+    } else {
+        ret = setenv("KRB5_CANONICALIZE", "false", 1);
+    }
+    if (ret == -1) {
+        DEBUG(2, ("Failed to set KRB5_CANONICALIZE to %s\n",
+                  ((canonicalize)?"true":"false")));
+        talloc_free(req);
+        return NULL;
+    }
+
     subreq = sdap_kinit_next_kdc(req);
     if (!subreq) {
         talloc_free(req);
@@ -1400,6 +1413,8 @@ static void sdap_cli_kinit_step(struct tevent_req *req)
                         dp_opt_get_string(state->opts->basic,
                                                    SDAP_SASL_AUTHID),
                         realm,
+                        dp_opt_get_bool(state->opts->basic,
+                                                   SDAP_KRB5_CANONICALIZE),
                         dp_opt_get_int(state->opts->basic,
                                                    SDAP_KRB5_TICKET_LIFETIME));
     if (!subreq) {
author	Jan Zeleny <jzeleny@redhat.com>	2011-11-01 10:19:04 -0400
committer	Stephen Gallagher <sgallagh@redhat.com>	2011-11-02 14:10:31 -0400
commit	ed80a7f8ff76089bdcfae7007dbdef42d05e2cc8 (patch)
tree	d2033a77c277be1c49cba8ff54e4d3d7070721d0 /src/providers
parent	7dfc7617085c403d30debe9f08d4c9bcca322744 (diff)
download	sssd-ed80a7f8ff76089bdcfae7007dbdef42d05e2cc8.tar.gz sssd-ed80a7f8ff76089bdcfae7007dbdef42d05e2cc8.tar.xz sssd-ed80a7f8ff76089bdcfae7007dbdef42d05e2cc8.zip