question regarding LDAP plugin, policy and princ attributes

Savitha R rsavitha at novell.com
Thu Jun 15 08:50:59 EDT 2006 


>>> On Thu, Jun 15, 2006 at  5:37 am, in message
<20060615000755.GK29380 at sun.com>,
Will Fiveash <William.Fiveash at sun.com> wrote: 
> On Wed, Jun 14, 2006 at 06:45:52PM - 0500, Will Fiveash wrote:
>> While doing more testing I notice that I can set a princ's
>> krbMaxTicketLife attribute to 1728000 seconds (20 days).  I see
this
>> value when I do a ldapsearch on the princ object so I know it is
set
>> properly in the directory.  However when I do:
>> 
>> ./kadmin.local - q 'getprinc foo'
>> 
>> I see:
>> 
>> Maximum ticket life: 1 day 00:00:00
>> 
>> The problem appears to be this code in
krb5_read_tkt_policyreference():
>> 
>>     if ((mask & tkt_mask) != tkt_mask) {
>>     if (policydn != NULL) {
>>         st = krb5_ldap_read_policy(context, policydn,
&tktpoldnparam, &omask);
>>         if (st && st != KRB5_KDB_NOENTRY) {
>>                 prepend_err_str(context, "Error reading ticket
policy. ", 
> st, st);
>>         goto cleanup;
>>             }
>>         
>>         st = 0; /* reset the return status */
>>     }
>>     
>>     if ((mask & KDB_MAX_LIFE_ATTR) == 0) {
>>         if ((omask & KDB_MAX_LIFE_ATTR) ==  KDB_MAX_LIFE_ATTR)
>>         entries- >max_life = tktpoldnparam- >maxtktlife;
>>         else if (ldap_context- >lrparams- >max_life)
>>         entries- >max_life = ldap_context- >lrparams- >max_life;
>>         else if(ldap_context- >krbcontainer- >max_life)
>>         entries- >max_life = ldap_context- >krbcontainer-
>max_life;
>>         else
>>         entries- >max_life = KRB5_KDB_MAX_LIFE; 
>>     }
>> 
>> If no policy is specified in the foo princ object or the
krbcontainer
>> then entries- >max_life = KRB5_KDB_MAX_LIFE; is executed.  This
behavior
>> differs from when I do the same using the db2 plugin.
>> 
>> Why?
> 
> I dug a little further and in krb5_ldap_get_principal() prior to the
> krb5_read_tkt_policyreference() call I see:
> 
>         /* KRBMAXTICKETLIFE */
>         if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", 
> &(entries- >max_life)) == 0)
>         mask |= KDB_MAX_LIFE_ATTR;
> 
> This is setting entries- >max_life properly and setting the
> KDB_MAX_LIFE_ATTR flag in mask.  However in
> krb5_read_tkt_policyreference() there is:
> 
>     if ((st=krb5_get_attributes_mask(context, entries, &mask)) != 0)
> 
> which is setting the mask to 0 on my system.  Somewhere the mask
flags
> set in krb5_ldap_get_principal() are getting lost.


We are not able to see this in our setup. Can you give us some
details(like platform, version...)
about your test environment? 

Are you able to get correct values for other attributes like max
renewable life and 
password expiration time?

Thanks
Savitha

More information about the krbdev mailing list