TODO: make sure a single krbPrincipalName value gets used for canonicalization tookdc-fixes

1 files changed, 16 insertions, 6 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 5fb280d62..c69a8817d 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -827,7 +827,8 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
     struct ipadb_context *ipactx;
     bool found = false;
     LDAPMessage *le = NULL;
-    struct berval **vals;
+    struct berval **canonvals = NULL;
+    struct berval **vals = NULL;
     int i, result;
 
     ipactx = ipadb_get_context(kcontext);
@@ -870,16 +871,25 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
             }
         }
 
-        ldap_value_free_len(vals);
-
         if (!found) {
+            ldap_value_free_len(vals);
             continue;
         }
 
         /* we need to check if this is the canonical name */
-        vals = ldap_get_values_len(ipactx->lcontext, le, "krbcanonicalname");
-        if (vals == NULL) {
-            continue;
+        canonvals = ldap_get_values_len(ipactx->lcontext, le, "krbcanonicalname");
+        if (canonvals == NULL) {
+            /* Short cut processing if there is only a single value in
+             * krbPrincipalName, in that case we can proceed without
+             * krbCanonicalName and considering the krbPrincipalName as the
+             * canonical value. */
+            if (vals[1] != NULL) {
+                ldap_value_free_len(vals);
+                continue;
+            }
+        } else {
+            ldap_value_free_len(vals);
+            vals = canonvals;
         }
 
         /* Again, if aliases are accepted by KDC, use case-insensitive comparison */