summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNathaniel McCallum <nathaniel@themccallums.org>2013-11-12 10:52:51 -0500
committerPetr Viktorin <pviktori@redhat.com>2014-02-19 10:15:36 +0100
commitb769d1c18678b5eede7505dec7938f6836070044 (patch)
treee4aa5b0c10baedf40a0fa5edcd15ae027e7ce30c
parentf67268db6855738350481491119b9be29ba1f22d (diff)
downloadfreeipa.git-b769d1c18678b5eede7505dec7938f6836070044.tar.gz
freeipa.git-b769d1c18678b5eede7505dec7938f6836070044.tar.xz
freeipa.git-b769d1c18678b5eede7505dec7938f6836070044.zip
Add support to ipa-kdb for keyless principals
https://fedorahosted.org/freeipa/ticket/3779 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rw-r--r--daemons/ipa-kdb/ipa_kdb_principals.c18
-rw-r--r--util/ipa_krb5.c3
2 files changed, 21 insertions, 0 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 8a8d67bb..f0be76ea 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1385,8 +1385,26 @@ static krb5_error_code ipadb_get_ldap_mod_key_data(struct ipadb_mods *imods,
{
krb5_error_code kerr;
struct berval *bval = NULL;
+ LDAPMod *mod;
int ret;
+ /* If the key data is empty, remove all keys. */
+ if (n_key_data == 0 || key_data == NULL) {
+ kerr = ipadb_mods_new(imods, &mod);
+ if (kerr != 0)
+ return kerr;
+
+ mod->mod_op = LDAP_MOD_DELETE;
+ mod->mod_bvalues = NULL;
+ mod->mod_type = strdup("krbPrincipalKey");
+ if (mod->mod_type == NULL) {
+ ipadb_mods_free_tip(imods);
+ return ENOMEM;
+ }
+
+ return 0;
+ }
+
ret = ber_encode_krb5_key_data(key_data, n_key_data, mkvno, &bval);
if (ret != 0) {
kerr = ret;
diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
index 934fd27d..cc84f992 100644
--- a/util/ipa_krb5.c
+++ b/util/ipa_krb5.c
@@ -296,6 +296,9 @@ void ipa_krb5_free_key_data(krb5_key_data *keys, int num_keys)
{
int i;
+ if (keys == NULL)
+ return;
+
for (i = 0; i < num_keys; i++) {
/* try to wipe key from memory,
* hopefully the compiler will not optimize it away */