From e02bfe598789636ad2625809174069fab3a57705 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 19 Nov 2012 17:36:55 +0100 Subject: LDAP: Checking the principal should not be considered fatal The check is too restrictive as the select_principal_from_keytab can return something else than user requested right now. Consider that user query for host/myserver@EXAMPLE.COM, then the select_principal_from_keytab function will return "myserver" in primary and "EXAMPLE.COM" in realm. So the caller needs to add logic to also break down the principal to get rid of the host/ part. The heuristics would simply get too complex. select_principal_from_keytab will error out anyway if there's no suitable principal at all. --- src/providers/ldap/ldap_common.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 07e9c5d4f..516ba179d 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -1038,12 +1038,16 @@ sdap_set_sasl_options(struct sdap_options *id_opts, goto done; } - if ((primary_requested && strcmp(desired_primary, sasl_primary) != 0) || - (realm_requested && strcmp(desired_realm, sasl_realm) != 0)) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("Configured SASL auth ID/realm not found in keytab.\n")); - ret = ENOENT; - goto done; + if (primary_requested && strcmp(desired_primary, sasl_primary) != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Configured SASL auth ID not found in keytab. " + "Requested %s, found %s\n", desired_primary, sasl_primary)); + } + + if (realm_requested && strcmp(desired_realm, sasl_realm) != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Configured SASL realm not found in keytab. " + "Requested %s, found %s\n", desired_realm, sasl_realm)); } ret = dp_opt_set_string(id_opts->basic, -- cgit