svn rev #22090: trunk/src/plugins/kdb/ldap/libkdb_ldap/
ghudson@MIT.EDU
ghudson at MIT.EDU
Sun Mar 15 00:21:13 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22090
Commit By: ghudson
Log Message:
ticket: 6420
subject: Add LDAP back end support for canonical name attribute
tags: pullup
target_version: 1.7
Add a krbCanonicalName attribute to the schema. When looking up a
principal, if the canonical name is set and does not match the
requested name, then return the entry only if canonicalization was
requested, and use the entry's canonical name.
Changed Files:
U trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
U trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif 2009-03-15 04:15:16 UTC (rev 22089)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif 2009-03-15 04:21:12 UTC (rev 22090)
@@ -20,6 +20,15 @@
# specific syntax definitions
# Kerberos Object Class(6) class# version#
# specific class definitions
+#
+# iso(1)
+# member-body(2)
+# United States(840)
+# mit (113554)
+# infosys(1)
+# ldap(4)
+# attributeTypes(1)
+# Kerberos(6)
########################################################################
@@ -40,6 +49,21 @@
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
+##### If there are multiple krbPrincipalName values for an entry, this
+##### is the canonical principal name in the RFC 1964 specified
+##### format. (If this attribute does not exist, then all
+##### krbPrincipalName values are treated as canonical.)
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetypes: ( 1.2.840.113554.1.4.1.6.1
+ NAME 'krbCanonicalName'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE)
+
##### This specifies the type of the principal, the types could be any of
##### the types mentioned in section 6.2 of RFC 4120
@@ -685,7 +709,7 @@
objectClasses: ( 2.16.840.1.113719.1.301.6.8.1
NAME 'krbPrincipalAux'
AUXILIARY
- MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
+ MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
###### This class is used to create additional principals and stand alone principals.
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema 2009-03-15 04:15:16 UTC (rev 22089)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema 2009-03-15 04:21:12 UTC (rev 22090)
@@ -20,6 +20,15 @@
# specific syntax definitions
# Kerberos Object Class(6) class# version#
# specific class definitions
+#
+# iso(1)
+# member-body(2)
+# United States(840)
+# mit (113554)
+# infosys(1)
+# ldap(4)
+# attributeTypes(1)
+# Kerberos(6)
########################################################################
@@ -36,7 +45,18 @@
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
+##### If there are multiple krbPrincipalName values for an entry, this
+##### is the canonical principal name in the RFC 1964 specified
+##### format. (If this attribute does not exist, then all
+##### krbPrincipalName values are treated as canonical.)
+attributetype ( 1.2.840.113554.1.4.1.6.1
+ NAME 'krbCanonicalName'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE)
+
##### This specifies the type of the principal, the types could be any of
##### the types mentioned in section 6.2 of RFC 4120
@@ -422,7 +442,7 @@
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
-##### This stores the alternate principal names for the principal in the RFC 1961 specified format
+##### This stores the alternate principal names for the principal in the RFC 1964 specified format
attributetype ( 2.16.840.1.113719.1.301.4.47.1
NAME 'krbPrincipalAliases'
@@ -556,7 +576,7 @@
NAME 'krbPrincipalAux'
SUP top
AUXILIARY
- MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
+ MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
###### This class is used to create additional principals and stand alone principals.
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2009-03-15 04:15:16 UTC (rev 22089)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2009-03-15 04:21:12 UTC (rev 22090)
@@ -40,6 +40,7 @@
struct timeval timelimit = {300, 0}; /* 5 minutes */
char *principal_attributes[] = { "krbprincipalname",
+ "krbcanonicalname",
"objectclass",
"krbprincipalkey",
"krbmaxrenewableage",
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2009-03-15 04:15:16 UTC (rev 22089)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2009-03-15 04:21:12 UTC (rev 22090)
@@ -85,12 +85,13 @@
char *user=NULL, *filter=NULL, **subtree=NULL;
unsigned int tree=0, ntrees=1, princlen=0;
krb5_error_code tempst=0, st=0;
- char **values=NULL;
+ char **values=NULL, *cname=NULL;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
krb5_ldap_context *ldap_context=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
+ krb5_principal cprinc=NULL;
/* Clear the global error string */
krb5_clear_error_message(context);
@@ -145,7 +146,7 @@
* NOTE: a principalname k* in ldap server will return all the principals starting with a k
*/
for (i=0; values[i] != NULL; ++i) {
- if (strcasecmp(values[i], user) == 0) {
+ if (strcmp(values[i], user) == 0) {
*nentries = 1;
break;
}
@@ -156,8 +157,27 @@
continue;
}
- if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, searchfor,
- entries)) != 0)
+ if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) {
+ if (values[0] && strcmp(values[0], user) != 0) {
+ /* We matched an alias, not the canonical name. */
+ if (flags & KRB5_KDB_FLAG_CANONICALIZE) {
+ st = krb5_ldap_parse_principal_name(values[0], &cname);
+ if (st != 0)
+ goto cleanup;
+ st = krb5_parse_name(context, cname, &cprinc);
+ if (st != 0)
+ goto cleanup;
+ } else /* No canonicalization, so don't return aliases. */
+ *nentries = 0;
+ }
+ ldap_value_free(values);
+ if (*nentries == 0)
+ continue;
+ }
+
+ if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent,
+ cprinc ? cprinc : searchfor,
+ entries)) != 0)
goto cleanup;
}
ldap_msgfree(result);
@@ -190,6 +210,12 @@
if (user)
free(user);
+ if (cname)
+ free(cname);
+
+ if (cprinc)
+ krb5_free_principal(context, cprinc);
+
return st;
}
More information about the cvs-krb5
mailing list