question regarding LDAP plugin, policy and princ attributes

Will Fiveash William.Fiveash at sun.com
Wed Jun 14 20:07:55 EDT 2006 

On Wed, Jun 14, 2006 at 06:45:52PM -0500, Will Fiveash wrote:
> While doing more testing I notice that I can set a princ's
> krbMaxTicketLife attribute to 1728000 seconds (20 days).  I see this
> value when I do a ldapsearch on the princ object so I know it is set
> properly in the directory.  However when I do:
> 
> ./kadmin.local -q 'getprinc foo'
> 
> I see:
> 
> Maximum ticket life: 1 day 00:00:00
> 
> The problem appears to be this code in krb5_read_tkt_policyreference():
> 
>     if ((mask & tkt_mask) != tkt_mask) {
>     if (policydn != NULL) {
>         st = krb5_ldap_read_policy(context, policydn, &tktpoldnparam, &omask);
>         if (st && st != KRB5_KDB_NOENTRY) {
>                 prepend_err_str(context, "Error reading ticket policy. ", st, st);
>         goto cleanup;
>             }
>         
>         st = 0; /* reset the return status */
>     }
>     
>     if ((mask & KDB_MAX_LIFE_ATTR) == 0) {
>         if ((omask & KDB_MAX_LIFE_ATTR) ==  KDB_MAX_LIFE_ATTR)
>         entries->max_life = tktpoldnparam->maxtktlife;
>         else if (ldap_context->lrparams->max_life)
>         entries->max_life = ldap_context->lrparams->max_life;
>         else if(ldap_context->krbcontainer->max_life)
>         entries->max_life = ldap_context->krbcontainer->max_life;
>         else
>         entries->max_life = KRB5_KDB_MAX_LIFE; 
>     }
> 
> If no policy is specified in the foo princ object or the krbcontainer
> then entries->max_life = KRB5_KDB_MAX_LIFE; is executed.  This behavior
> differs from when I do the same using the db2 plugin.
> 
> Why?

I dug a little further and in krb5_ldap_get_principal() prior to the
krb5_read_tkt_policyreference() call I see:

        /* KRBMAXTICKETLIFE */
        if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", &(entries->max_life)) == 0)
        mask |= KDB_MAX_LIFE_ATTR;

This is setting entries->max_life properly and setting the
KDB_MAX_LIFE_ATTR flag in mask.  However in
krb5_read_tkt_policyreference() there is:

    if ((st=krb5_get_attributes_mask(context, entries, &mask)) != 0)

which is setting the mask to 0 on my system.  Somewhere the mask flags
set in krb5_ldap_get_principal() are getting lost.

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list