svn rev #22090: trunk/src/plugins/kdb/ldap/libkdb_ldap/

ghudson@MIT.EDU ghudson at MIT.EDU
Sun Mar 15 00:21:13 EDT 2009


http://src.mit.edu/fisheye/changelog/krb5/?cs=22090
Commit By: ghudson
Log Message:
ticket: 6420
subject: Add LDAP back end support for canonical name attribute
tags: pullup
target_version: 1.7

Add a krbCanonicalName attribute to the schema.  When looking up a
principal, if the canonical name is set and does not match the
requested name, then return the entry only if canonicalization was
requested, and use the entry's canonical name.



Changed Files:
U   trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
U   trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
U   trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
U   trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif	2009-03-15 04:15:16 UTC (rev 22089)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif	2009-03-15 04:21:12 UTC (rev 22090)
@@ -20,6 +20,15 @@
 #                    specific syntax definitions
 #                 Kerberos Object Class(6) class# version#
 #                    specific class definitions
+#
+#    iso(1)
+#      member-body(2)
+#        United States(840)
+#          mit (113554)
+#            infosys(1)
+#              ldap(4)
+#                attributeTypes(1)
+#                  Kerberos(6)
 
 ########################################################################
 
@@ -40,6 +49,21 @@
                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 
 
+##### If there are multiple krbPrincipalName values for an entry, this
+##### is the canonical principal name in the RFC 1964 specified
+##### format.  (If this attribute does not exist, then all
+##### krbPrincipalName values are treated as canonical.)
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetypes: ( 1.2.840.113554.1.4.1.6.1
+                NAME 'krbCanonicalName'
+                EQUALITY caseExactIA5Match
+                SUBSTR caseExactSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE)
+
 ##### This specifies the type of the principal, the types could be any of
 ##### the types mentioned in section 6.2 of RFC 4120
 
@@ -685,7 +709,7 @@
 objectClasses: ( 2.16.840.1.113719.1.301.6.8.1
                 NAME 'krbPrincipalAux'
                 AUXILIARY
-                MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
+                MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
 
 
 ###### This class is used to create additional principals and stand alone principals.

Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema	2009-03-15 04:15:16 UTC (rev 22089)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema	2009-03-15 04:21:12 UTC (rev 22090)
@@ -20,6 +20,15 @@
 #                    specific syntax definitions
 #                 Kerberos Object Class(6) class# version#
 #                    specific class definitions
+#
+#    iso(1)
+#      member-body(2)
+#        United States(840)
+#          mit (113554)
+#            infosys(1)
+#              ldap(4)
+#                attributeTypes(1)
+#                  Kerberos(6)
 
 ########################################################################
 
@@ -36,7 +45,18 @@
 		SUBSTR caseExactSubstringsMatch
                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 
+##### If there are multiple krbPrincipalName values for an entry, this
+##### is the canonical principal name in the RFC 1964 specified
+##### format.  (If this attribute does not exist, then all
+##### krbPrincipalName values are treated as canonical.)
 
+attributetype ( 1.2.840.113554.1.4.1.6.1
+                NAME 'krbCanonicalName'
+                EQUALITY caseExactIA5Match
+                SUBSTR caseExactSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE)
+
 ##### This specifies the type of the principal, the types could be any of
 ##### the types mentioned in section 6.2 of RFC 4120
 
@@ -422,7 +442,7 @@
                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
 
 
-##### This stores the alternate principal names for the principal in the RFC 1961 specified format
+##### This stores the alternate principal names for the principal in the RFC 1964 specified format
 
 attributetype ( 2.16.840.1.113719.1.301.4.47.1
                 NAME 'krbPrincipalAliases'
@@ -556,7 +576,7 @@
                 NAME 'krbPrincipalAux'
 		SUP top
                 AUXILIARY
-                MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
+                MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
 
 
 ###### This class is used to create additional principals and stand alone principals.

Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c	2009-03-15 04:15:16 UTC (rev 22089)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c	2009-03-15 04:21:12 UTC (rev 22090)
@@ -40,6 +40,7 @@
 
 struct timeval timelimit = {300, 0};  /* 5 minutes */
 char     *principal_attributes[] = { "krbprincipalname",
+				     "krbcanonicalname",
 				     "objectclass",
 				     "krbprincipalkey",
 				     "krbmaxrenewableage",

Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2009-03-15 04:15:16 UTC (rev 22089)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2009-03-15 04:21:12 UTC (rev 22090)
@@ -85,12 +85,13 @@
     char                        *user=NULL, *filter=NULL, **subtree=NULL;
     unsigned int                tree=0, ntrees=1, princlen=0;
     krb5_error_code	        tempst=0, st=0;
-    char                        **values=NULL;
+    char                        **values=NULL, *cname=NULL;
     LDAP	                *ld=NULL;
     LDAPMessage	                *result=NULL, *ent=NULL;
     krb5_ldap_context           *ldap_context=NULL;
     kdb5_dal_handle             *dal_handle=NULL;
     krb5_ldap_server_handle     *ldap_server_handle=NULL;
+    krb5_principal		cprinc=NULL;
 
     /* Clear the global error string */
     krb5_clear_error_message(context);
@@ -145,7 +146,7 @@
 		 * NOTE: a principalname k* in ldap server will return all the principals starting with a k
 		 */
 		for (i=0; values[i] != NULL; ++i) {
-		    if (strcasecmp(values[i], user) == 0) {
+		    if (strcmp(values[i], user) == 0) {
 			*nentries = 1;
 			break;
 		    }
@@ -156,8 +157,27 @@
 		    continue;
 	    }
 
-	    if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, searchfor,
-			entries)) != 0)
+	    if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) {
+		if (values[0] && strcmp(values[0], user) != 0) {
+		    /* We matched an alias, not the canonical name. */
+		    if (flags & KRB5_KDB_FLAG_CANONICALIZE) {
+			st = krb5_ldap_parse_principal_name(values[0], &cname);
+			if (st != 0)
+			    goto cleanup;
+			st = krb5_parse_name(context, cname, &cprinc);
+			if (st != 0)
+			    goto cleanup;
+		    } else /* No canonicalization, so don't return aliases. */
+			*nentries = 0;
+		}
+		ldap_value_free(values);
+		if (*nentries == 0)
+		    continue;
+	    }
+
+	    if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent,
+					     cprinc ? cprinc : searchfor,
+					     entries)) != 0)
 		goto cleanup;
 	}
 	ldap_msgfree(result);
@@ -190,6 +210,12 @@
     if (user)
 	free(user);
 
+    if (cname)
+	free(cname);
+
+    if (cprinc)
+	krb5_free_principal(context, cprinc);
+
     return st;
 }
 




More information about the cvs-krb5 mailing list