diff options
| author | Simo Sorce <simo@redhat.com> | 2013-11-26 15:41:31 +0000 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2013-11-26 16:44:37 +0100 |
| commit | a1165ffbb80446890e3757113c9682c8526ed666 (patch) | |
| tree | 6fd0b2c39fe8d7064451e562725b0a1880fcbfec | |
| parent | ba0da01c1d4eee25841aa0e19316d6953ff1bdea (diff) | |
| download | freeipa-a1165ffbb80446890e3757113c9682c8526ed666.tar.gz freeipa-a1165ffbb80446890e3757113c9682c8526ed666.tar.xz freeipa-a1165ffbb80446890e3757113c9682c8526ed666.zip | |
Add krbticketPolicyAux objectclass if needed
When modifying ticket flags add the objectclass to the object if it is missing.
https://fedorahosted.org/freeipa/ticket/3901
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb.h | 1 | ||||
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_principals.c | 34 |
2 files changed, 35 insertions, 0 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 1c2aefc4..5ad256b0 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -117,6 +117,7 @@ struct ipadb_e_data { struct ipapwd_policy *pol; time_t last_admin_unlock; char **authz_data; + bool has_tktpolaux; }; struct ipadb_context *ipadb_get_context(krb5_context kcontext); diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 38059d29..a5209522 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -468,6 +468,17 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, ied->ipa_user = true; } + /* check if it has the krbTicketPolicyAux objectclass */ + ret = ipadb_ldap_attr_has_value(lcontext, lentry, + "objectClass", "krbTicketPolicyAux"); + if (ret != 0 && ret != ENOENT) { + kerr = ret; + goto done; + } + if (ret == 0) { + ied->has_tktpolaux = true; + } + ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbPwdPolicyReference", &restring); switch (ret) { @@ -1411,6 +1422,29 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext, /* KADM5_ATTRIBUTES */ if (entry->mask & KMASK_ATTRIBUTES) { + /* if the object does not have the krbTicketPolicyAux class + * we need to add it or this will fail, only for modifications. + * We always add this objectclass by default when doing an add + * from scratch. */ + if ((mod_op == LDAP_MOD_REPLACE) && entry->e_data) { + struct ipadb_e_data *ied; + + ied = (struct ipadb_e_data *)entry->e_data; + if (ied->magic != IPA_E_DATA_MAGIC) { + kerr = EINVAL; + goto done; + } + + if (!ied->has_tktpolaux) { + kerr = ipadb_get_ldap_mod_str(imods, "objectclass", + "krbTicketPolicyAux", + LDAP_MOD_ADD); + if (kerr) { + goto done; + } + } + } + kerr = ipadb_get_ldap_mod_int(imods, "krbTicketFlags", (int)entry->attributes, |