IPA API: set krbcanonicalname instead of ipakrbprincipalalias on new entities

Hosts, services, and (stage)-users will now have krbcanonicalname attribute
set to the same value as krbprincipalname on creation. Moreover, new services
will not have ipakrbprincipalalias set anymore.

Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>

4 files changed, 9 insertions, 8 deletions

diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index bbea403d9..7bb2e8a63 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -39,6 +39,7 @@ from ipalib.util import (
     remove_sshpubkey_from_output_post,
     remove_sshpubkey_from_output_list_post,
     add_sshpubkey_to_attrs_pre,
+    set_krbcanonicalname
 )
 
 if six.PY3:
@@ -497,6 +498,7 @@ class baseuser_add(LDAPCreate):
     def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
                             **options):
         assert isinstance(dn, DN)
+        set_krbcanonicalname(entry_attrs)
         self.obj.convert_usercertificate_pre(entry_attrs)
 
     def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 919927c3d..0072431de 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -50,6 +50,7 @@ from ipalib.util import (normalize_sshpubkey, validate_sshpubkey_no_options,
     remove_sshpubkey_from_output_list_post,
     normalize_hostname,
     hostname_validator,
+    set_krbcanonicalname
 )
 from ipapython.ipautil import ipa_generate_password, CheckedIPAddress
 from ipapython.dnsutil import DNSName
@@ -632,6 +633,7 @@ class host_add(LDAPCreate):
                 entry_attrs['objectclass'].append('krbprincipalaux')
             if 'krbprincipal' not in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].append('krbprincipal')
+            set_krbcanonicalname(entry_attrs)
         else:
             if 'krbprincipalaux' in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].remove('krbprincipalaux')
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 24031eb42..cb9952d44 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -576,14 +576,8 @@ class service_add(LDAPCreate):
         if not 'managedby' in entry_attrs:
             entry_attrs['managedby'] = hostresult['dn']
 
-        # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches
-        # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
-        # schema
-        entry_attrs['ipakrbprincipalalias'] = keys[-1]
-
-        # Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in
-        # in a list of default objectclasses, add it manually
-        entry_attrs['objectclass'].append('ipakrbprincipal')
+        # set krbcanonicalname attribute to enable principal canonicalization
+        util.set_krbcanonicalname(entry_attrs)
 
         update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
 
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
index 86b1935f3..9d5d40453 100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -44,6 +44,7 @@ from .baseuser import (
     baseuser_add_manager,
     baseuser_remove_manager)
 from ipalib.request import context
+from ipalib.util import set_krbcanonicalname
 from ipalib import _, ngettext
 from ipalib import output
 from ipaplatform.paths import paths
@@ -532,6 +533,8 @@ class stageuser_activate(LDAPQuery):
         if 'krbprincipalname' not in entry_from:
             entry_to['krbprincipalname'] = '%s@%s' % (entry_from['uid'][0], api.env.realm)
 
+        set_krbcanonicalname(entry_to)
+
     def __dict_new_entry(self, *args, **options):
         ldap = self.obj.backend