svn rev #24178: trunk/src/ include/ kdc/ lib/kadm5/srv/ plugins/kdb/ldap/libkdb_ldap/

ghudson@MIT.EDU ghudson at MIT.EDU
Thu Jul 8 19:34:35 EDT 2010 

http://src.mit.edu/fisheye/changelog/krb5/?cs=24178
Commit By: ghudson
Log Message:
ticket: 6749
status: open

Create a KRB5_KDB_FLAG_ALIAS_OK to control whether plugin modules
should return in-realm aliases.  Set it where appropriate, and use it
in the LDAP module instead of intuiting the result based on other
flags.



Changed Files:
U   trunk/src/include/kdb.h
U   trunk/src/kdc/do_as_req.c
U   trunk/src/kdc/do_tgs_req.c
U   trunk/src/lib/kadm5/srv/server_kdb.c
U   trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
Modified: trunk/src/include/kdb.h
===================================================================
--- trunk/src/include/kdb.h	2010-07-08 13:40:11 UTC (rev 24177)
+++ trunk/src/include/kdb.h	2010-07-08 23:34:35 UTC (rev 24178)
@@ -130,6 +130,8 @@
 #define KRB5_KDB_FLAG_USER_TO_USER              0x00000800
 /* Cross-realm */
 #define KRB5_KDB_FLAG_CROSS_REALM               0x00001000
+/* Allow in-realm aliases */
+#define KRB5_KDB_FLAG_ALIAS_OK                  0x00002000
 
 #define KRB5_KDB_FLAGS_S4U                      ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \
                                                   KRB5_KDB_FLAG_CONSTRAINED_DELEGATION )
@@ -913,19 +915,17 @@
      * db_get_principal):
      *
      * KRB5_KDB_FLAG_CANONICALIZE: Set by the KDC when looking up entries for
-     *     an AS or TGS request with canonicalization requested.  Affects
-     *     whether the module should return out-of-realm referrals and aliases
-     *     (see below).
+     *     an AS or TGS request with canonicalization requested.  Determines
+     *     whether the module should return out-of-realm referrals.
      *
-     * KRB5_KDB_INCLUDE_PAC: Set by the KDC during an AS request when the
+     * KRB5_KDB_FLAG_INCLUDE_PAC: Set by the KDC during an AS request when the
      *     client requested PAC information during padata, and during most TGS
      *     requests.  Indicates that the module should include PAC information
      *     when generating authorization data.
      *
      * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY: Set by the KDC when looking up the
      *     client entry in an AS request.  Affects how the module should return
-     *     out-of-realm referrals and whether the module should return in-realm
-     *     aliases (see below).
+     *     out-of-realm referrals.
      *
      * KRB5_KDB_FLAG_MAP_PRINCIPALS: Set by the KDC when looking up the client
      *     entry during TGS requests, except for S4U TGS requests and requests
@@ -946,11 +946,15 @@
      *     during a TGS request, if the client principal is not part of the
      *     realm being served.
      *
-     * A module can return in-realm aliases if KRB5_KDB_FLAG_CANONICALIZE is
-     * set, or if KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is not set (because
-     * aliases are always okay for TGS requests).  To return an in-realm alias,
-     * fill in a different value for entries->princ than the one requested.
+     * KRB5_KDB_FLAG_ALIAS_OK: Set by the KDC for server principal lookups and
+     *     for AS request client principal lookups with canonicalization
+     *     requested; also set by the admin interface.  Determines whether the
+     *     module should return in-realm aliases.
      *
+     * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set.
+     * To return an in-realm alias, fill in a different value for
+     * entries->princ than the one requested.
+     *
      * A module can return out-of-realm referrals if KRB5_KDB_FLAG_CANONICALIZE
      * is set.  For AS request clients (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is
      * also set), the module should do so by simply filling in an out-of-realm

Modified: trunk/src/kdc/do_as_req.c
===================================================================
--- trunk/src/kdc/do_as_req.c	2010-07-08 13:40:11 UTC (rev 24177)
+++ trunk/src/kdc/do_as_req.c	2010-07-08 23:34:35 UTC (rev 24178)
@@ -195,6 +195,7 @@
         krb5_princ_type(kdc_context,
                         request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
         setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
+        setflag(c_flags, KRB5_KDB_FLAG_ALIAS_OK);
     }
     if (include_pac_p(kdc_context, request)) {
         setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
@@ -237,6 +238,7 @@
 #endif
 
     s_flags = 0;
+    setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
     if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
         setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
     }

Modified: trunk/src/kdc/do_tgs_req.c
===================================================================
--- trunk/src/kdc/do_tgs_req.c	2010-07-08 13:40:11 UTC (rev 24177)
+++ trunk/src/kdc/do_tgs_req.c	2010-07-08 23:34:35 UTC (rev 24178)
@@ -205,6 +205,7 @@
     /* XXX make sure server here has the proper realm...taken from AP_REQ
        header? */
 
+    setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
     if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
         setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
         setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);

Modified: trunk/src/lib/kadm5/srv/server_kdb.c
===================================================================
--- trunk/src/lib/kadm5/srv/server_kdb.c	2010-07-08 13:40:11 UTC (rev 24177)
+++ trunk/src/lib/kadm5/srv/server_kdb.c	2010-07-08 23:34:35 UTC (rev 24178)
@@ -242,7 +242,8 @@
 
     *kdb_ptr = NULL;
 
-    ret = krb5_db_get_principal(handle->context, principal, 0, &kdb);
+    ret = krb5_db_get_principal(handle->context, principal,
+                                KRB5_KDB_FLAG_ALIAS_OK, &kdb);
     if (ret == KRB5_KDB_NOENTRY)
         return(KADM5_UNK_PRINC);
     if (ret)

Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2010-07-08 13:40:11 UTC (rev 24177)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2010-07-08 23:34:35 UTC (rev 24178)
@@ -70,30 +70,6 @@
     return 0;
 }
 
-/* Return true if it's okay to return aliases according to flags. */
-static krb5_boolean
-aliases_ok(unsigned int flags)
-{
-    /*
-     * The current DAL does not have a flag to indicate whether
-     * aliases are okay.  For service name lookups (AS or TGT path),
-     * we can always return aliases.  For client name lookups, we can
-     * only return aliases if the client passed the canonicalize flag.
-     * We abuse the CLIENT_REFERRALS_ONLY flag to detect client name
-     * lookups.
-     *
-     * This method has the side effect of permitting aliases for
-     * lookups by administrative interfaces (e.g. kadmin).  Since we
-     * don't have explicit admin support for aliases yet, this is
-     * okay.
-     */
-    if (!(flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY))
-        return TRUE;
-    if (flags & KRB5_KDB_FLAG_CANONICALIZE)
-        return TRUE;
-    return FALSE;
-}
-
 /*
  * look up a principal in the directory.
  */
@@ -178,7 +154,7 @@
             if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) {
                 if (values[0] && strcmp(values[0], user) != 0) {
                     /* We matched an alias, not the canonical name. */
-                    if (aliases_ok(flags)) {
+                    if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
                         st = krb5_ldap_parse_principal_name(values[0], &cname);
                         if (st != 0)
                             goto cleanup;

More information about the cvs-krb5 mailing list