[krbdev.mit.edu #8877] [Comment] Issue setting require_auth attribute with ldap backend with release 1.17
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Mon Feb 24 13:05:42 EST 2020
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8877
This is a comment. It is not sent to the Requestor(s):
My notes:
* Normalization of the "require_auth" string attribute to the
krbPrincipalAuthInd LDAP attribute was added in release 1.15 (ticket 8379),
while auth indicator support itself was added in release 1.14 (ticket 8157).
* This is currently the only normalization of a string attribute, although
several tl-data attributes (like KRB5_TL_LAST_PWD_CHANGE) are normalized.
* Unlike other normalizations, the require_auth attribute is also represented
redundantly in krbExtraData (within KRB5_TL_STRING_ATTRS). This is at least
partially because krb5 1.14 could have written entries to LDAP without
normalization.
* On load, if any krbPrincipalAuthInd attributes are present, they are
re-encoded as a string attribute and set or replace the value of the
require_auth string attribute in the tl-data. This is so that modifications to
krbPrincipalAuthInd via LDAP will have the intended effect on the principal
entry.
* There is an ancillary bug that removing all krbPrincipalAuthInd attributes
via LDAP won't have the effect of removing the require_auth string attribute.
There is currently no way to distinguish this state from an entry stored
without normalization (by krb5 1.14).
* The attribute mask returned by krb5_get_attributes_mask() is synthesized on
principal entry load by populate_krb5_db_entry(). It it stored in memory in the
tl-data under the type KDB_TL_USER_INFO, encoded under the subtype KDB_TL_MASK.
KDB_TL_USER_INFO tl-data is not written out to LDAP.
* Using the attribute mask to fix the primary bug would miss the case where the
caller writes out an entry from scratch, rather than reading and entry and
modifying it. That might be an acceptable blind spot, compared to the cost of
alternative fixes.
* To fix the ancillary bug, we would probably have to change the normalization
strategy so that the require_auth string attribute is no longer stored within
krbExtraData (but can still be loaded from krbExtraData). That change would
mean that krb5 1.14 KDCs would no longer be able to see require_auth string
attributes on entries written out by current KDCs.
More information about the krb5-bugs
mailing list