keep setting ipakrbprincipal objectclass on new service entries

this is required for replica promotion to work, since the ACI allowing hosts to add their own services uses this objectclass as target filter. This partially reverts changes from commit 705f66f7490c64de1adc129221b31927616c485d https://fedorahosted.org/freeipa/ticket/5996 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
author: Martin Babinsky <mbabinsk@redhat.com> 2016-06-27 08:48:29 +0200
committer: Martin Basti <mbasti@redhat.com> 2016-06-27 13:38:07 +0200
commit: 7b8247a485081a6f1f5201e286ac17228f976355 (patch)
tree: 651c6afa1684c240cf4f586b358f6013e3b33293
parent: 7bf3b1d546f22eeb61dce58cb69d471f834b8aac (diff)
download: freeipa-7b8247a485081a6f1f5201e286ac17228f976355.tar.gz
freeipa-7b8247a485081a6f1f5201e286ac17228f976355.tar.xz
freeipa-7b8247a485081a6f1f5201e286ac17228f976355.zip
3 files changed, 13 insertions, 1 deletions
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index cb9952d44..701314f8d 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -576,6 +576,15 @@ class service_add(LDAPCreate):
         if not 'managedby' in entry_attrs:
             entry_attrs['managedby'] = hostresult['dn']
 
+        # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches
+        # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
+        # schema
+        entry_attrs['ipakrbprincipalalias'] = keys[-1]
+
+        # Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in
+        # in a list of default objectclasses, add it manually
+        entry_attrs['objectclass'].append('ipakrbprincipal')
+
         # set krbcanonicalname attribute to enable principal canonicalization
         util.set_krbcanonicalname(entry_attrs)
 
diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 7050de289..134a08803 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -100,6 +100,7 @@ service = [
     u'ipaobject',
     u'ipaservice',
     u'pkiuser',
+    u'ipakrbprincipal',
     u'top',
 ]
 
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index 3009521c3..f22824f9a 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -239,6 +239,7 @@ class test_service(Declarative):
                 result=dict(
                     dn=service1dn,
                     krbprincipalname=[service1],
+                    ipakrbprincipalalias=[service1],
                     krbcanonicalname=[service1],
                     objectclass=objectclasses.service,
                     ipauniqueid=[fuzzy_uuid],
@@ -301,7 +302,8 @@ class test_service(Declarative):
                     dict(
                         dn=service1dn,
                         krbprincipalname=[service1],
-                        krbcanonicalname=service1,
+                        ipakrbprincipalalias=[service1],
+                        krbcanonicalname=[service1],
                         objectclass=objectclasses.service,
                         ipauniqueid=[fuzzy_uuid],
                         has_keytab=False,
author	Martin Babinsky <mbabinsk@redhat.com>	2016-06-27 08:48:29 +0200
committer	Martin Basti <mbasti@redhat.com>	2016-06-27 13:38:07 +0200
commit	7b8247a485081a6f1f5201e286ac17228f976355 (patch)
tree	651c6afa1684c240cf4f586b358f6013e3b33293
parent	7bf3b1d546f22eeb61dce58cb69d471f834b8aac (diff)
download	freeipa-7b8247a485081a6f1f5201e286ac17228f976355.tar.gz freeipa-7b8247a485081a6f1f5201e286ac17228f976355.tar.xz freeipa-7b8247a485081a6f1f5201e286ac17228f976355.zip