diff options
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/plugins/baseuser.py | 2 | ||||
| -rw-r--r-- | ipaserver/plugins/host.py | 2 | ||||
| -rw-r--r-- | ipaserver/plugins/service.py | 10 | ||||
| -rw-r--r-- | ipaserver/plugins/stageuser.py | 3 |
4 files changed, 9 insertions, 8 deletions
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index bbea403d9..7bb2e8a63 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -39,6 +39,7 @@ from ipalib.util import ( remove_sshpubkey_from_output_post, remove_sshpubkey_from_output_list_post, add_sshpubkey_to_attrs_pre, + set_krbcanonicalname ) if six.PY3: @@ -497,6 +498,7 @@ class baseuser_add(LDAPCreate): def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) + set_krbcanonicalname(entry_attrs) self.obj.convert_usercertificate_pre(entry_attrs) def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options): diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 919927c3d..0072431de 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -50,6 +50,7 @@ from ipalib.util import (normalize_sshpubkey, validate_sshpubkey_no_options, remove_sshpubkey_from_output_list_post, normalize_hostname, hostname_validator, + set_krbcanonicalname ) from ipapython.ipautil import ipa_generate_password, CheckedIPAddress from ipapython.dnsutil import DNSName @@ -632,6 +633,7 @@ class host_add(LDAPCreate): entry_attrs['objectclass'].append('krbprincipalaux') if 'krbprincipal' not in entry_attrs['objectclass']: entry_attrs['objectclass'].append('krbprincipal') + set_krbcanonicalname(entry_attrs) else: if 'krbprincipalaux' in entry_attrs['objectclass']: entry_attrs['objectclass'].remove('krbprincipalaux') diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 24031eb42..cb9952d44 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -576,14 +576,8 @@ class service_add(LDAPCreate): if not 'managedby' in entry_attrs: entry_attrs['managedby'] = hostresult['dn'] - # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches - # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos - # schema - entry_attrs['ipakrbprincipalalias'] = keys[-1] - - # Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in - # in a list of default objectclasses, add it manually - entry_attrs['objectclass'].append('ipakrbprincipal') + # set krbcanonicalname attribute to enable principal canonicalization + util.set_krbcanonicalname(entry_attrs) update_krbticketflags(ldap, entry_attrs, attrs_list, options, False) diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py index 86b1935f3..9d5d40453 100644 --- a/ipaserver/plugins/stageuser.py +++ b/ipaserver/plugins/stageuser.py @@ -44,6 +44,7 @@ from .baseuser import ( baseuser_add_manager, baseuser_remove_manager) from ipalib.request import context +from ipalib.util import set_krbcanonicalname from ipalib import _, ngettext from ipalib import output from ipaplatform.paths import paths @@ -532,6 +533,8 @@ class stageuser_activate(LDAPQuery): if 'krbprincipalname' not in entry_from: entry_to['krbprincipalname'] = '%s@%s' % (entry_from['uid'][0], api.env.realm) + set_krbcanonicalname(entry_to) + def __dict_new_entry(self, *args, **options): ldap = self.obj.backend |