perform case-insensitive principal search when canonicalization is requested

When canonicalization is requested, the krbprincipalname attribute is searched for case-insensitively. In the case that krbcanonicalname is not set, the matched alias is returned with the casing stored in backend, not the one input by client. Part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
author: Martin Babinsky <mbabinsk@redhat.com> 2015-09-08 16:45:23 +0200
committer: Martin Basti <mbasti@redhat.com> 2016-06-23 09:48:06 +0200
commit: e43231456d8de954423582dbee439e330573d04b (patch)
tree: 29be8cdd7d163401761482ee5f13e207e96b0a4f /daemons/ipa-kdb
parent: b59e82298ca0322713bc1dd947ba7a0ae79e44ce (diff)
download: freeipa-e43231456d8de954423582dbee439e330573d04b.tar.gz
freeipa-e43231456d8de954423582dbee439e330573d04b.tar.xz
freeipa-e43231456d8de954423582dbee439e330573d04b.zip
1 files changed, 12 insertions, 1 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index d4adf27f2..348072402 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -31,7 +31,7 @@
                                     "(objectclass=krbprincipal)" \
                                     "(objectclass=ipakrbprincipal))" \
                                     "(|(ipakrbprincipalalias=%s)" \
-                                      "(krbprincipalname=%s)))"
+                                      "(krbprincipalname:caseIgnoreIA5Match:=%s)))"
 
 #define PRINC_SEARCH_FILTER "(&(|(objectclass=krbprincipalaux)" \
                                 "(objectclass=krbprincipal))" \
@@ -959,6 +959,17 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
                                 NULL, NULL, &result) != 0)
                     return KRB5_KDB_INTERNAL_ERROR;
                 found = (result == 0);
+                if (found) {
+                    /* replace the incoming principal with the value having
+                     * the correct case. This ensures that valid name/alias
+                     * is returned even if krbCanonicalName is not present
+                     */
+                    free(*principal);
+                    *principal = strdup(vals[i]->bv_val);
+                    if (!(*principal)) {
+                        return KRB5_KDB_INTERNAL_ERROR;
+                    }
+                }
             } else {
                 found = (strcmp(vals[i]->bv_val, (*principal)) == 0);
             }
author	Martin Babinsky <mbabinsk@redhat.com>	2015-09-08 16:45:23 +0200
committer	Martin Basti <mbasti@redhat.com>	2016-06-23 09:48:06 +0200
commit	e43231456d8de954423582dbee439e330573d04b (patch)
tree	29be8cdd7d163401761482ee5f13e207e96b0a4f /daemons/ipa-kdb
parent	b59e82298ca0322713bc1dd947ba7a0ae79e44ce (diff)
download	freeipa-e43231456d8de954423582dbee439e330573d04b.tar.gz freeipa-e43231456d8de954423582dbee439e330573d04b.tar.xz freeipa-e43231456d8de954423582dbee439e330573d04b.zip