1 files changed, 12 insertions, 1 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 3c2c44f61..48880cdb7 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -1171,6 +1171,8 @@ done:
     return rc;
 }
 
+#define SETKEYS_OP_CHECK "ipaProtectedOperation;set_keys"
+
 /* Password Modify Extended operation plugin function */
 static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
 {
@@ -1238,15 +1240,24 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
         goto free_and_return;
     }
 
-    /* Accesseck strategy:
+    /* Access check strategy:
      * If the user has WRITE access, a new keytab can be set on the entry.
      * If not, then we fail immediately with insufficient access. This
      * means that we don't leak any useful information to the client such
      * as current password wrong, etc.
+     *
+     * In addition to the historic check, we now also check if the setkeytab
+     * operation is allowed at all.
      */
     allowed_access = is_allowed_to_access_attr(pb, bindDN, targetEntry,
                                                "krbPrincipalKey", NULL,
                                                SLAPI_ACL_WRITE);
+    if (allowed_access) {
+        /* check if we are allowed to *set* keys */
+        allowed_access = is_allowed_to_access_attr(pb, bindDN, targetEntry,
+                                                   SETKEYS_OP_CHECK, NULL,
+                                                   SLAPI_ACL_WRITE);
+    }
     if (!allowed_access) {
         LOG_FATAL("Access not allowed to set keytab on [%s]!\n",
                   serviceName);