[krbdev.mit.edu #8295] kdb5_ldap_stash_service_password() stash file logic needs tweaking
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Dec 16 11:53:27 EST 2015
I did a full review of LDAP service password file selection.
* When the KDC or kadmind connects to the LDAP server and needs a bind
password, it looks for the ldap_service_password_file variable in the
realm's dbmodules section or in [dbdefaults]. If the variable is not
found in either place, there is no default value, and the LDAP
connection fails.
* kdb5_ldap_util stashsrvpw does the following:
- it looks up the database_module variable in [realms] -> realm, and
in [dbdefaults] if no value is present in the realm subsection.
- if a database_module variable is found, it looks up the
ldap_service_password_file in the named subsection of [dbmodules], with
no error checking. If no value is present, the code tries to
fopen(NULL).
- if no database_module variable is found, it uses a hardcoded
default of "usr/local/var/service_passwd". This default is not used by
the KDC or kadmind, and does not use the build prefix.
I think the libkdb_ldap logic is find, but the kdb5_ldap_util logic is
seriously confused. We should make the following changes to be
consistent with libkdb_ldap:
* If database_module is not present in the realm subsection, the
default should be realm name (to be consistent with
kdb5.c:get_conf_section()). [dbdefaults] should not be consulted for
database_module, as kdb5.c does not do that.
* If ldap_service_password_file is not present in the chosen
[dbmodules] subsection, the command should fail rather than using a
hardcoded default.
More information about the krb5-bugs
mailing list