From 9f49886f941772731c8ecca8825b2d87ffa0ccc9 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 10 Aug 2015 20:26:59 +0000 Subject: TODO: make sure a single krbPrincipalName value gets used for canonicalization too --- daemons/ipa-kdb/ipa_kdb_principals.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 5fb280d62..c69a8817d 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -827,7 +827,8 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext, struct ipadb_context *ipactx; bool found = false; LDAPMessage *le = NULL; - struct berval **vals; + struct berval **canonvals = NULL; + struct berval **vals = NULL; int i, result; ipactx = ipadb_get_context(kcontext); @@ -870,16 +871,25 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext, } } - ldap_value_free_len(vals); - if (!found) { + ldap_value_free_len(vals); continue; } /* we need to check if this is the canonical name */ - vals = ldap_get_values_len(ipactx->lcontext, le, "krbcanonicalname"); - if (vals == NULL) { - continue; + canonvals = ldap_get_values_len(ipactx->lcontext, le, "krbcanonicalname"); + if (canonvals == NULL) { + /* Short cut processing if there is only a single value in + * krbPrincipalName, in that case we can proceed without + * krbCanonicalName and considering the krbPrincipalName as the + * canonical value. */ + if (vals[1] != NULL) { + ldap_value_free_len(vals); + continue; + } + } else { + ldap_value_free_len(vals); + vals = canonvals; } /* Again, if aliases are accepted by KDC, use case-insensitive comparison */ -- cgit