From e81a816cddab4a62f263d1a0274d5d3f101e8e0f Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Tue, 29 Mar 2011 02:46:25 -0400 Subject: Modify principal selection for keytab authentication Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781 --- src/providers/ldap/sdap_child_helpers.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'src/providers/ldap/sdap_child_helpers.c') diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c index 5a15e661e..d0f6caeb2 100644 --- a/src/providers/ldap/sdap_child_helpers.c +++ b/src/providers/ldap/sdap_child_helpers.c @@ -458,6 +458,12 @@ int setup_child(struct sdap_id_ctx *ctx) const char *mech; unsigned v; FILE *debug_filep; + const char *realm; + + realm = dp_opt_get_string(ctx->opts->basic, SDAP_SASL_REALM); + if (!realm) { + realm = dp_opt_get_string(ctx->opts->basic, SDAP_KRB5_REALM); + } mech = dp_opt_get_string(ctx->opts->basic, SDAP_SASL_MECH); @@ -468,8 +474,7 @@ int setup_child(struct sdap_id_ctx *ctx) if (mech && (strcasecmp(mech, "GSSAPI") == 0)) { ret = sss_krb5_verify_keytab(dp_opt_get_string(ctx->opts->basic, SDAP_SASL_AUTHID), - dp_opt_get_string(ctx->opts->basic, - SDAP_KRB5_REALM), + realm, dp_opt_get_string(ctx->opts->basic, SDAP_KRB5_KEYTAB)); -- cgit