diff options
| author | Martin Babinsky <mbabinsk@redhat.com> | 2016-06-27 08:48:29 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-06-27 13:38:07 +0200 |
| commit | 7b8247a485081a6f1f5201e286ac17228f976355 (patch) | |
| tree | 651c6afa1684c240cf4f586b358f6013e3b33293 /ipaserver | |
| parent | 7bf3b1d546f22eeb61dce58cb69d471f834b8aac (diff) | |
| download | freeipa-7b8247a485081a6f1f5201e286ac17228f976355.tar.gz freeipa-7b8247a485081a6f1f5201e286ac17228f976355.tar.xz freeipa-7b8247a485081a6f1f5201e286ac17228f976355.zip | |
keep setting ipakrbprincipal objectclass on new service entries
this is required for replica promotion to work, since the ACI allowing hosts
to add their own services uses this objectclass as target filter.
This partially reverts changes from commit
705f66f7490c64de1adc129221b31927616c485d
https://fedorahosted.org/freeipa/ticket/5996
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/plugins/service.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index cb9952d44..701314f8d 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -576,6 +576,15 @@ class service_add(LDAPCreate): if not 'managedby' in entry_attrs: entry_attrs['managedby'] = hostresult['dn'] + # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches + # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos + # schema + entry_attrs['ipakrbprincipalalias'] = keys[-1] + + # Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in + # in a list of default objectclasses, add it manually + entry_attrs['objectclass'].append('ipakrbprincipal') + # set krbcanonicalname attribute to enable principal canonicalization util.set_krbcanonicalname(entry_attrs) |