[krbdev.mit.edu #9163] Add alias support
Greg Hudson via RT
rt-comment at kerborg-prod-app-1.mit.edu
Thu Feb 27 14:39:08 EST 2025
Thu Feb 27 14:39:07 2025: Request 9163 was acted upon.
Transaction: Ticket created by ghudson at mit.edu
Queue: krb5
Subject: Add alias support
Owner: Nobody
Requestors: ghudson at mit.edu
Status: resolved
Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9163 >
Add alias support
Add a new kadmin command add_alias. Implement it for DB2 and LMDB by
writing stub principal entries with a tl-data entry giving the target
name. Add libkdb5 functions to create and interpret alias entries.
Handle these stub entries in krb5_db_get_principal(), iteratively
resolving aliases up to a depth of 10.
To allow kadm5_delete_principal() to work on aliases, remove the code
that fetches the entry prior to deletion; it was needed before commit
0780e46fc13dbafa177525164997cd204cc50b51 to decrement the policy
reference count, but now serves no purpose. Adjust kdb_delete_entry()
to translate KRB5_KDB_NOENTRY instead of ignoring it, as we still want
to return KADM5_UNK_PRINC when deleting a nonexistent principal name.
Modify the LDAP KDB module to work with alias entries. In
krb5_ldap_put_principal(), recognize stub alias entries and add an
alias to the object for the target principal. In
krb5_ldap_delete_principal(), don't delete the LDAP object when
deleting an alias name. In krb5_ldap_iterate(), generate stub entries
for each alias name in addition to the populated entry for the
canonical name. A small amount of refactoring was done as part of
this work: the LDAP-specific principal name parsing and unparsing
functions were simplified, and a helper function search_princ() was
added to find the LDAP object for a principal name.
In kdb5_util tabdump, add a dump type "alias" to display a list of
aliases in the database.
Based on work by Alexander Bokovoy.
https://github.com/krb5/krb5/commit/5d3fe31bf1dc48e8ee946bf65428611958cac329
Author: Greg Hudson <ghudson at mit.edu>
Commit: 5d3fe31bf1dc48e8ee946bf65428611958cac329
Branch: master
doc/admin/admin_commands/kadmin_local.rst | 22 +-
doc/admin/admin_commands/kdb5_util.rst | 8 +
doc/admin/conf_ldap.rst | 7 +-
doc/admin/database.rst | 4 +
src/include/kdb.h | 28 +-
src/include/krb5/kadm5_auth_plugin.h | 11 +-
src/include/krb5/kadm5_hook_plugin.h | 8 +-
src/kadmin/cli/kadmin.c | 49 +++
src/kadmin/cli/kadmin.h | 2 +
src/kadmin/cli/kadmin_ct.ct | 3 +
src/kadmin/dbutil/tabdump.c | 38 ++
src/kadmin/server/auth.c | 8 +-
src/kadmin/server/auth.h | 2 +
src/kadmin/server/auth_acl.c | 14 +
src/kadmin/server/kadm_rpc_svc.c | 7 +
src/kadmin/server/server_stubs.c | 259 ++++++++-----
src/lib/kadm5/admin.h | 3 +
src/lib/kadm5/admin_xdr.h | 1 +
src/lib/kadm5/clnt/client_principal.c | 20 +
src/lib/kadm5/clnt/client_rpc.c | 8 +
src/lib/kadm5/clnt/libkadm5clnt_mit.exports | 2 +
src/lib/kadm5/kadm_err.et | 1 +
src/lib/kadm5/kadm_rpc.h | 12 +
src/lib/kadm5/kadm_rpc_xdr.c | 15 +
src/lib/kadm5/server_internal.h | 7 +
src/lib/kadm5/srv/kadm5_hook.c | 10 +-
src/lib/kadm5/srv/libkadm5srv_mit.exports | 2 +
src/lib/kadm5/srv/server_kdb.c | 4 +-
src/lib/kadm5/srv/svr_principal.c | 49 ++-
src/lib/kdb/kdb5.c | 112 +++++-
src/lib/kdb/libkdb5.exports | 2 +
src/lib/krb5/error_tables/kdb5_err.et | 1 +
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c | 227 ++++++-----
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h | 6 +-
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 429 ++++++++++++---------
src/tests/Makefile.in | 1 +
src/tests/t_alias.py | 124 ++++++
src/tests/t_kadmin_acl.py | 102 ++++-
src/tests/t_kdb.py | 44 ++-
src/tests/t_tabdump.py | 6 +
40 files changed, 1238 insertions(+), 420 deletions(-)
More information about the krb5-bugs
mailing list