ldap principal aliases

[Luke Howard]

On 30/08/2009, at 9:21 AM, Luke Howard wrote:

>> Yep, sure enough.  The version on wopr is pretty old.
>>
>> Are there any known scenarios where forcing canonicalization on the
>> KDC
>> would be bad?  I was thinking about just removing the check for that
>> flag from our KDCs, since there are quite a few servers that have the
>> old libraries.
>
>
> This will create problems in the AS path, because the client library
> won't expect a different principal name. In the TGS path, I think Greg
> is right (but if you're going to disable to check, I'd do it in
> libkdb_ldap rather than the KDC).


So, you could try the following untested patch:

Index: ldap_principal2.c
===================================================================
--- ldap_principal2.c	(revision 22548)
+++ ldap_principal2.c	(working copy)
@@ -160,7 +160,8 @@
  	    if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) !=  
NULL) {
  		if (values[0] && strcmp(values[0], user) != 0) {
  		    /* We matched an alias, not the canonical name. */
-		    if (flags & KRB5_KDB_FLAG_CANONICALIZE) {
+		    if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0 ||
+			(flags & KRB5_KDB_FLAG_CANONICALIZE)) {
  			st = krb5_ldap_parse_principal_name(values[0], &cname);
  			if (st != 0)
  			    goto cleanup;

This always canonicalization for server names (when  
KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is unset).

For client names, it continues to depend on the setting of  
KRB5_KDB_FLAG_CANONICALIZE.

-- Luke