diff options
author | Sumit Bose <sbose@redhat.com> | 2017-05-24 16:10:26 +0200 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-05-25 13:05:42 +0200 |
commit | ca95807a9060e454ee68f6f30558d6f7ee968c39 (patch) | |
tree | 8930c1614f6f28b76a96c50945d91cc8527573d8 | |
parent | 274489b092bba5fc81cb0f803843d56b267c5aaf (diff) | |
download | sssd-ca95807a9060e454ee68f6f30558d6f7ee968c39.tar.gz sssd-ca95807a9060e454ee68f6f30558d6f7ee968c39.tar.xz sssd-ca95807a9060e454ee68f6f30558d6f7ee968c39.zip |
krb5: accept changed principal if krb5_canonicalize=True
Currently SSSD accepts significant changes in the principal only if
krb5_use_enterprise_principal=True. But canonicalization can lead to
similar changes so they should be accepted in this case as well.
Resolves:
https://pagure.io/SSSD/sssd/issue/3408
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 894bd41bd..03ea9d88c 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -829,6 +829,7 @@ static void krb5_auth_done(struct tevent_req *subreq) char *renew_interval_str; time_t renew_interval_time = 0; bool use_enterprise_principal; + bool canonicalize; ret = handle_child_recv(subreq, pd, &buf, &len); talloc_zfree(subreq); @@ -908,6 +909,7 @@ static void krb5_auth_done(struct tevent_req *subreq) use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_USE_ENTERPRISE_PRINCIPAL); + canonicalize = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_CANONICALIZE); /* Check if the cases of our upn are correct and update it if needed. * Fail if the upn differs by more than just the case for non-enterprise @@ -915,6 +917,7 @@ static void krb5_auth_done(struct tevent_req *subreq) if (res->correct_upn != NULL && strcmp(kr->upn, res->correct_upn) != 0) { if (strcasecmp(kr->upn, res->correct_upn) == 0 || + canonicalize == true || use_enterprise_principal == true) { talloc_free(kr->upn); kr->upn = talloc_strdup(kr, res->correct_upn); |