diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-07-08 23:34:35 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-07-08 23:34:35 +0000 |
| commit | e220a6288b10e1f9280e8aa2cb18ad56391e0a45 (patch) | |
| tree | b052d1e6cb8a61ad28acf1a246fae3e808ba1530 /src/plugins/kdb | |
| parent | eb75acd30b4bee1124174c8ba5740a7ad1c97ba4 (diff) | |
| download | krb5-e220a6288b10e1f9280e8aa2cb18ad56391e0a45.tar.gz krb5-e220a6288b10e1f9280e8aa2cb18ad56391e0a45.tar.xz krb5-e220a6288b10e1f9280e8aa2cb18ad56391e0a45.zip | |
Create a KRB5_KDB_FLAG_ALIAS_OK to control whether plugin modules
should return in-realm aliases. Set it where appropriate, and use it
in the LDAP module instead of intuiting the result based on other
flags.
ticket: 6749
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24178 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins/kdb')
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 26 |
1 files changed, 1 insertions, 25 deletions
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 9b50eda72..27a3a6441 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -70,30 +70,6 @@ berval2tl_data(struct berval *in, krb5_tl_data **out) return 0; } -/* Return true if it's okay to return aliases according to flags. */ -static krb5_boolean -aliases_ok(unsigned int flags) -{ - /* - * The current DAL does not have a flag to indicate whether - * aliases are okay. For service name lookups (AS or TGT path), - * we can always return aliases. For client name lookups, we can - * only return aliases if the client passed the canonicalize flag. - * We abuse the CLIENT_REFERRALS_ONLY flag to detect client name - * lookups. - * - * This method has the side effect of permitting aliases for - * lookups by administrative interfaces (e.g. kadmin). Since we - * don't have explicit admin support for aliases yet, this is - * okay. - */ - if (!(flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY)) - return TRUE; - if (flags & KRB5_KDB_FLAG_CANONICALIZE) - return TRUE; - return FALSE; -} - /* * look up a principal in the directory. */ @@ -178,7 +154,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) { if (values[0] && strcmp(values[0], user) != 0) { /* We matched an alias, not the canonical name. */ - if (aliases_ok(flags)) { + if (flags & KRB5_KDB_FLAG_ALIAS_OK) { st = krb5_ldap_parse_principal_name(values[0], &cname); if (st != 0) goto cleanup; |