krb5 commit: Set lockdown attribute when creating LDAP KDB

Tue Aug 18 12:41:24 EDT 2020

https://github.com/krb5/krb5/commit/6cdf7d82e74f21fb8a37efe6b1bba45744f891ba
commit 6cdf7d82e74f21fb8a37efe6b1bba45744f891ba
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Aug 10 12:44:21 2020 -0400

    Set lockdown attribute when creating LDAP KDB
    
    In kdb5_ldap_util, set lockdown_keys on the special principals when
    creating an LDAP KDB, as we do in kdb5_util when creating a regular
    KDB.
    
    ticket: 8936 (new)
    tags: pullup
    target_version: 1.18-next
    target_version: 1.17-next

 src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
index ae1afd4..bb5bae5 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
@@ -1304,7 +1304,7 @@ kdb_ldap_create_principal(krb5_context context, krb5_principal princ,
                                                      now, &db_create_princ)))
         goto cleanup;
 
-    entry.attributes = pblock->flags;
+    entry.attributes = pblock->flags | KRB5_KDB_LOCKDOWN_KEYS;
     entry.max_life = pblock->max_life;
     entry.max_renewable_life = pblock->max_rlife;
     entry.expiration = pblock->expiration;
