From 7df5fd383ed1f1b26c0a9a0071d6e4fc612550e7 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 19 Nov 2012 17:34:56 +0100
Subject: LDAP: Make it possible to use full principal in ldap_sasl_authid
 again

---
 src/man/sssd-ldap.5.xml          |  5 +++++
 src/providers/ldap/ldap_common.c | 20 ++++++++++++++++----
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 2d62c11f2..b1be45fe2 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1418,6 +1418,9 @@
                             Specify the SASL authorization id to use.
                             When GSSAPI is used, this represents the Kerberos
                             principal used for authentication to the directory.
+                            This option can either contain the full principal (for
+                            example host/myhost@EXAMPLE.COM) or just the principal name
+                            (for example host/myhost).
                         </para>
                         <para>
                             Default: host/hostname@REALM
@@ -1431,6 +1434,8 @@
                         <para>
                             Specify the SASL realm to use. When not specified,
                             this option defaults to the value of krb5_realm.
+                            If the ldap_sasl_authid contains the realm as well,
+                            this option is ignored.
                         </para>
                         <para>
                             Default: the value of krb5_realm.
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 516ba179d..f8b921adf 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -1009,6 +1009,7 @@ sdap_set_sasl_options(struct sdap_options *id_opts,
     TALLOC_CTX *tmp_ctx;
     char *sasl_primary;
     char *desired_primary;
+    char *primary_realm;
     char *sasl_realm;
     char *desired_realm;
     bool primary_requested = true;
@@ -1024,12 +1025,23 @@ sdap_set_sasl_options(struct sdap_options *id_opts,
         desired_primary = default_primary;
     }
 
-    desired_realm = dp_opt_get_string(id_opts->basic, SDAP_SASL_REALM);
-    if (!desired_realm) {
-        realm_requested = false;
-        desired_realm = default_realm;
+    if ((primary_realm = strchr(desired_primary, '@'))) {
+        *primary_realm = '\0';
+        desired_realm = primary_realm+1;
+        DEBUG(SSSDBG_TRACE_INTERNAL,
+              ("authid contains realm [%s]\n", desired_realm));
+    } else {
+        desired_realm = dp_opt_get_string(id_opts->basic, SDAP_SASL_REALM);
+        if (!desired_realm) {
+            realm_requested = false;
+            desired_realm = default_realm;
+        }
     }
 
+    DEBUG(SSSDBG_CONF_SETTINGS, ("Will look for %s@%s in %s\n",
+          desired_primary, desired_realm,
+          keytab_path ? keytab_path : "default keytab"));
+
     ret = select_principal_from_keytab(tmp_ctx,
                                        desired_primary, desired_realm,
                                        keytab_path,
-- 
cgit