question regarding LDAP plugin, policy and princ attributes
Will Fiveash
William.Fiveash at sun.com
Wed Jun 14 19:45:52 EDT 2006
While doing more testing I notice that I can set a princ's
krbMaxTicketLife attribute to 1728000 seconds (20 days). I see this
value when I do a ldapsearch on the princ object so I know it is set
properly in the directory. However when I do:
./kadmin.local -q 'getprinc foo'
I see:
Maximum ticket life: 1 day 00:00:00
The problem appears to be this code in krb5_read_tkt_policyreference():
if ((mask & tkt_mask) != tkt_mask) {
if (policydn != NULL) {
st = krb5_ldap_read_policy(context, policydn, &tktpoldnparam, &omask);
if (st && st != KRB5_KDB_NOENTRY) {
prepend_err_str(context, "Error reading ticket policy. ", st, st);
goto cleanup;
}
st = 0; /* reset the return status */
}
if ((mask & KDB_MAX_LIFE_ATTR) == 0) {
if ((omask & KDB_MAX_LIFE_ATTR) == KDB_MAX_LIFE_ATTR)
entries->max_life = tktpoldnparam->maxtktlife;
else if (ldap_context->lrparams->max_life)
entries->max_life = ldap_context->lrparams->max_life;
else if(ldap_context->krbcontainer->max_life)
entries->max_life = ldap_context->krbcontainer->max_life;
else
entries->max_life = KRB5_KDB_MAX_LIFE;
}
If no policy is specified in the foo princ object or the krbcontainer
then entries->max_life = KRB5_KDB_MAX_LIFE; is executed. This behavior
differs from when I do the same using the db2 plugin.
Why?
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev
mailing list