diff options
| author | Simo Sorce <simo@redhat.com> | 2015-11-24 18:01:52 -0500 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-03-09 19:00:43 +0100 |
| commit | 7a20fc671b07344b0ee8460bef07398cb3ffaf59 (patch) | |
| tree | 02e4a252db184e02889ee3d61c141b7d1dca9e2f /daemons/ipa-kdb | |
| parent | 0906cc28b8387a62945d2531dd19bef60f731364 (diff) | |
| download | freeipa-7a20fc671b07344b0ee8460bef07398cb3ffaf59.tar.gz freeipa-7a20fc671b07344b0ee8460bef07398cb3ffaf59.tar.xz freeipa-7a20fc671b07344b0ee8460bef07398cb3ffaf59.zip | |
Allow to specify Kerberos authz data type per user
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/2579
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'daemons/ipa-kdb')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 45721f0dc..d54ca7189 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2143,11 +2143,13 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, ks_client_princ = client->princ; } - /* We only need to check the server entry here, because even if the client - * is a service with a valid authorization data it will result to NONE - * because ipadb_get_pac() can only generate a pac for 'real' IPA users. - * (I assume this will be the same for PAD.) */ - get_authz_data_types(context, server, &with_pac, &with_pad); + if (client_entry == NULL) client_entry = client; + + if (is_as_req) { + get_authz_data_types(context, client_entry, &with_pac, &with_pad); + } else { + get_authz_data_types(context, server, &with_pac, &with_pad); + } if (with_pad) { krb5_klog_syslog(LOG_ERR, "PAD authorization data is requested but " \ @@ -2189,7 +2191,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, /* check or generate pac data */ if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) { if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { - kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac); + kerr = ipadb_get_pac(context, client_entry, &pac); if (kerr != 0 && kerr != ENOENT) { goto done; } @@ -2242,7 +2244,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, kerr = 0; done: - if (client_entry != NULL) { + if (client_entry != NULL && client_entry != client) { ipadb_free_principal(context, client_entry); } krb5_pac_free(context, pac); |