krb5 commit [krb5-1.12]: Disable principal renames for LDAP
Tom Yu
tlyu at mit.edu
Tue May 12 15:46:08 EDT 2015
https://github.com/krb5/krb5/commit/a300eec274447c93e01d74b6408e2c8789b33a2d
commit a300eec274447c93e01d74b6408e2c8789b33a2d
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Mar 26 12:47:06 2015 -0400
Disable principal renames for LDAP
The current principal rename procedure does not work with the LDAP KDB
module, instead having the effect of deleting the principal. The fix
is not easy and requires amending the DAL (see issue #8065). For now,
detect LDAP and error out when a rename operation is attempted.
(cherry picked from commit 8483243664a289fea142d8a9de61eba30d713871)
(cherry picked from commit 338cf20b3df6d30a8fe4c4d8c8e3b718edbf35a4)
ticket: 8186 (new)
version_fixed: 1.12.4
status: resolved
src/lib/kadm5/srv/svr_principal.c | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 7681636..8d6d2a7 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -768,6 +768,7 @@ kadm5_rename_principal(void *server_handle,
kadm5_server_handle_t handle = server_handle;
krb5_int16 stype, i;
krb5_data *salt = NULL;
+ krb5_tl_data tl;
CHECK_HANDLE(server_handle);
@@ -784,6 +785,18 @@ kadm5_rename_principal(void *server_handle,
if ((ret = kdb_get_entry(handle, source, &kdb, &adb)))
return ret;
+ /*
+ * This rename procedure does not work with the LDAP KDB module (see issue
+ * #8065). As a stopgap, look for tl-data indicating LDAP and error out.
+ * 0x7FFE is KDB_TL_USER_INFO as defined in kdb_ldap.h.
+ */
+ tl.tl_data_type = 0x7FFE;
+ if (krb5_dbe_lookup_tl_data(handle->context, kdb, &tl) == 0 &&
+ tl.tl_data_length > 0) {
+ ret = KRB5_PLUGIN_OP_NOTSUPP;
+ goto done;
+ }
+
/* Transform salts as necessary. */
for (i = 0; i < kdb->n_key_data; i++) {
ret = krb5_dbe_compute_salt(handle->context, &kdb->key_data[i],
More information about the cvs-krb5
mailing list