[krbdev.mit.edu #8065] Renaming principals with LDAP KDB deletes the principal
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Tue Feb 3 14:12:49 EST 2015
kadm5_rename_principal gets the source principal entry, fixes up the
salts in the key data, sets the new principal name, puts the modified
principal entry, and then deletes the source principal entry.
This works with BDB, but fails badly with LDAP for two reasons:
1. We don't set mask attributes to indicate that this is a new
principal.
2. When the LDAP back end loads the source principal entry, it
inserts a tl-data value of type KDB_TL_USERDN containing the DN.
When we put the principal entry, this tl-data value is extracted and
used as the DN to use. We don't want that to happen; we want the KDB
module to construct a new DN based on the new principal name.
The upshot is that we make a few modifications to the source
principal DN, then delete it.
More information about the krb5-bugs
mailing list