5 files changed, 36 insertions, 7 deletions

diff --git a/daemons/configure.ac b/daemons/configure.ac
index 15ea00b0a..835d0b368 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -179,6 +179,16 @@ AC_CHECK_LIB([pdb],[pdb_enum_upn_suffixes],
              [$SAMBA40EXTRA_LIBPATH])
 
 dnl ---------------------------------------------------------------------------
+dnl Check for libunistring
+dnl ---------------------------------------------------------------------------
+AC_CHECK_HEADERS([unicase.h],,AC_MSG_ERROR([Could not find unicase.h]))
+AC_CHECK_LIB([unistring],
+             [ulc_casecmp],
+             [UNISTRING_LIBS="-lunistring"],
+             [AC_MSG_ERROR([libunistring does not have ulc_casecmp])])
+AC_SUBST(UNISTRING_LIBS)
+
+dnl ---------------------------------------------------------------------------
 dnl Check for libverto
 dnl ---------------------------------------------------------------------------
 PKG_CHECK_MODULES([LIBVERTO], [libverto])
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 13c455131..dc543dd56 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -50,6 +50,7 @@ ipadb_la_LIBADD = 		\
 	$(KRB5_LIBS)		\
 	$(LDAP_LIBS)		\
 	$(NDRPAC_LIBS)		\
+	$(UNISTRING_LIBS)	\
 	$(NULL)
 
 if HAVE_CHECK
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 54869d8f9..f7797c493 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -158,7 +158,7 @@ int ipadb_ldap_attr_to_krb5_timestamp(LDAP *lcontext, LDAPMessage *le,
                                       char *attrname, krb5_timestamp *result);
 
 int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le,
-                              char *attrname, char *value);
+                              char *attrname, const char *value);
 int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le,
                              LDAPDerefRes **results);
 
diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c
index e227602ea..112086b57 100644
--- a/daemons/ipa-kdb/ipa_kdb_common.c
+++ b/daemons/ipa-kdb/ipa_kdb_common.c
@@ -21,6 +21,7 @@
  */
 
 #include "ipa_kdb.h"
+#include <unicase.h>
 
 static struct timeval std_timeout = {300, 0};
 
@@ -518,20 +519,28 @@ int ipadb_ldap_attr_to_krb5_timestamp(LDAP *lcontext, LDAPMessage *le,
 }
 
 int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le,
-                              char *attrname, char *value)
+                              char *attrname, const char *value)
 {
     struct berval **vals;
     int ret = ENOENT;
-    int i;
+    int i, result;
 
     vals = ldap_get_values_len(lcontext, le, attrname);
     if (vals) {
         for (i = 0; vals[i]; i++) {
-            if (strcasecmp(vals[i]->bv_val, value) == 0) {
+            if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len,
+                            value, strlen(value),
+                            NULL, NULL, &result) != 0) {
+                ret = errno;
+                break;
+            }
+
+            if (result == 0) {
                 ret = 0;
                 break;
             }
         }
+
         ldap_value_free_len(vals);
     }
 
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 3566e1ece..66d434a53 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -21,6 +21,7 @@
  */
 
 #include "ipa_kdb.h"
+#include <unicase.h>
 
 /*
  * During TGS request search by ipaKrbPrincipalName (case-insensitive)
@@ -614,7 +615,7 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
     bool found = false;
     LDAPMessage *le = NULL;
     struct berval **vals;
-    int i;
+    int i, result;
 
     ipactx = ipadb_get_context(kcontext);
     if (!ipactx) {
@@ -643,7 +644,11 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
             /* KDC will accept aliases when doing TGT lookup (ref_tgt_again in do_tgs_req.c */
             /* Use case-insensitive comparison in such cases */
             if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) {
-                found = (strcasecmp(vals[i]->bv_val, (*principal)) == 0);
+                if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len,
+                                (*principal), strlen(*principal),
+                                NULL, NULL, &result) != 0)
+                    return KRB5_KDB_INTERNAL_ERROR;
+                found = (result == 0);
             } else {
                 found = (strcmp(vals[i]->bv_val, (*principal)) == 0);
             }
@@ -663,7 +668,11 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
 
         /* Again, if aliases are accepted by KDC, use case-insensitive comparison */
         if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) {
-            found = (strcasecmp(vals[0]->bv_val, (*principal)) == 0);
+            if (ulc_casecmp(vals[0]->bv_val, vals[0]->bv_len,
+                            (*principal), strlen(*principal),
+                            NULL, NULL, &result) != 0)
+                return KRB5_KDB_INTERNAL_ERROR;
+            found = (result == 0);
         } else {
             found = (strcmp(vals[0]->bv_val, (*principal)) == 0);
         }