diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2009-07-28 14:05:19 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2009-07-28 14:10:47 +1000 |
| commit | 8ff1f50b0c47f7ff92d557ef4caf64a44b387ab4 (patch) | |
| tree | 98f832f301c2e5c92a1391f1ae2bb9a6a1590e52 /source4/auth | |
| parent | 47a7a2e442c7e006eca8188c6a01707d85c4e61c (diff) | |
| download | samba-8ff1f50b0c47f7ff92d557ef4caf64a44b387ab4.tar.gz samba-8ff1f50b0c47f7ff92d557ef4caf64a44b387ab4.tar.bz2 samba-8ff1f50b0c47f7ff92d557ef4caf64a44b387ab4.zip | |
s4:kerberos Add support for user principal names in certificates
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ. (This was a TODO in
the Heimdal KDC)
The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).
Andrew Bartlett
Diffstat (limited to 'source4/auth')
| -rw-r--r-- | source4/auth/ntlm/auth_sam.c | 2 | ||||
| -rw-r--r-- | source4/auth/sam.c | 6 |
2 files changed, 5 insertions, 3 deletions
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 253ddf2286..a64c56d920 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -330,7 +330,7 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, } nt_status = sam_get_results_principal(sam_ctx, tmp_ctx, principal, - &domain_dn, &msg); + user_attrs, &domain_dn, &msg); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 635d94242f..8865170b14 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -399,6 +399,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, const char *principal, + const char **attrs, struct ldb_dn **domain_dn, struct ldb_message **msg) { @@ -411,7 +412,8 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, return NT_STATUS_NO_MEMORY; } - nt_status = crack_user_principal_name(sam_ctx, tmp_ctx, principal, &user_dn, domain_dn); + nt_status = crack_user_principal_name(sam_ctx, tmp_ctx, principal, + &user_dn, domain_dn); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; @@ -419,7 +421,7 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, /* pull the user attributes */ ret = gendb_search_single_extended_dn(sam_ctx, tmp_ctx, user_dn, LDB_SCOPE_BASE, - msg, user_attrs, "(objectClass=*)"); + msg, attrs, "(objectClass=*)"); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; |