From 319c46ea2bf6052afad2a93ebf7cd618504a2ba7 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 21 Feb 2011 11:29:37 -0500
Subject: Allow krb5_realm to override ipa_domain

It is possible to set up FreeIPA servers where the Kerberos realm
differs from the IPA domain name. We need to allow setting the
krb5_realm explicitly to handle this.
---
 src/providers/ipa/ipa_common.c | 43 +++++++++++++++++++++++++++++++++---------
 1 file changed, 34 insertions(+), 9 deletions(-)

(limited to 'src/providers/ipa/ipa_common.c')

diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index c146735c7..b748289bc 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -589,13 +589,15 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
 }
 
 int ipa_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
-                     const char *servers, const char *domain,
+                     const char *servers,
+                     struct ipa_options *options,
                      struct ipa_service **_service)
 {
     TALLOC_CTX *tmp_ctx;
     struct ipa_service *service;
     char **list = NULL;
     char *realm;
+    const char *domain;
     int ret;
     int i;
 
@@ -639,15 +641,38 @@ int ipa_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
     }
     service->sdap->kinit_service_name = service->krb5_service->name;
 
-    realm = talloc_strdup(service, domain);
-    if (!realm) {
-        ret = ENOMEM;
-        goto done;
-    }
-    for (i = 0; realm[i]; i++) {
-        realm[i] = toupper(realm[i]);
+    /* First check whether the realm has been manually specified */
+    realm = dp_opt_get_string(options->id->basic, SDAP_KRB5_REALM);
+    if (realm) {
+        /* krb5_realm exists in the configuration, use it */
+        service->krb5_service->realm =
+                talloc_strdup(service->krb5_service, realm);
+        if (!service->krb5_service->realm) {
+            ret = ENOMEM;
+            goto done;
+        }
+    } else {
+        /* No explicit krb5_realm, use the IPA domain */
+        domain = dp_opt_get_string(options->basic, IPA_DOMAIN);
+        if (!domain) {
+            DEBUG(0, ("Missing ipa_domain option!\n"));
+            ret = EINVAL;
+            goto done;
+        }
+
+        service->krb5_service->realm =
+                talloc_strdup(service->krb5_service, domain);
+        if (!service->krb5_service->realm) {
+            ret = ENOMEM;
+            goto done;
+        }
+
+        /* Use the upper-case IPA domain for the kerberos realm */
+        for (i = 0; service->krb5_service->realm[i]; i++) {
+            service->krb5_service->realm[i] =
+                    toupper(service->krb5_service->realm[i]);
+        }
     }
-    service->krb5_service->realm = realm;
 
     if (!servers) {
         servers = BE_SRV_IDENTIFIER;
-- 
cgit