question about princ type assignment in krb5_ldap_get_principal()

Praveen Kumar Sahukar psahukar at novell.com
Fri Jun 16 11:30:13 EDT 2006 

On Thu, 2006-06-15 at 16:32 -0500, Will Fiveash wrote:
> On Thu, Jun 15, 2006 at 11:42:42PM +0530, Praveen Kumar Sahukar wrote:
> > On Wed, 2006-06-14 at 11:07 -0400, Sam Hartman wrote:
> > > >>>>> "Praveen" == Praveen Kumar Sahukar <psahukar at novell.com> writes:
> > > 
> > >     Praveen> On Tue, 2006-06-13 at 19:49 -0500, Will Fiveash wrote:
> > >     >> In krb5_ldap_get_principal() in
> > >     >> src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c I see:
> > >     >> 
> > >     >> if ((values=ldap_get_values(ld, ent, "objectclass")) != NULL) {
> > >     >> for(i=0; values[i] != NULL; ++i) if (strcasecmp(values[i],
> > >     >> "krbprincipal") == 0) { ptype = KDB_SERVICE_PRINCIPAL; break;
> > >     >> }
> > >     >> ldap_value_free(values);
> > >     >> }
> > >     >> 
> > >     >> Why is ptype set to KDB_SERVICE_PRINCIPAL if the objectclass is
> > >     >> krbprincipal?
> > > 
> > >     Praveen> Kerberos principals created on krbprincipal object class
> > >     Praveen> (by extending with the krbprincipalaux aux class) are
> > >     Praveen> considered as Kerberos service principals. Thus kerberos
> > >     Praveen> principals like kadmin/admin, krbtgt/realmname ... are
> > >     Praveen> created as krbprincipal object class.
> > > 
> > >     Praveen> Kerberos principals created by extending other structural
> > >     Praveen> object classes with the krbprincipalaux aux class are
> > >     Praveen> considered as the user principals.
> > > 
> > > This seems rather specific to your deployment.
> > > 
> > > What distinction does the code make based on this type?
> > 
> > Based on the principal type distinction a couple of eDirectory specific
> > features are applied only to kerberos user principals and not to
> > kerberos service principals.
> 
> Still the logic is suspect.  I just created a user principal and stored
> it as a krbPrincipal object and this code sets the ptype to
> KDB_SERVICE_PRINCIPAL.  I worry about this being misunderstood and
> misused later.

The logic in the LDAP plug-in is to differentiate the Kerberos
principals into 2 classes 'service' and 'user'. Any kerberos principal
created as a krbPrincipal object will be treated as a kerberos service
principal. The fact that the kerberos principal belongs to a
krbPrincipal object makes it a kerberos service principal. So it is not
possible to create a kerberos user principal with a krbPrincipal
object. 

If a kerberos principal is associated with any other object class other
krbPrincipal object class, then it will be treated as a kerberos user
principal. 

-Praveen

More information about the krbdev mailing list