summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-05-03 19:30:51 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-05-03 21:02:10 +0200
commit42084c0f500ba849393b0e87477cd1af397ddecb (patch)
treebb895a3c896c3cb07f6bf223eef94537fcc4119a
parent2e4f8db631a10224dac20e8a472f751fef0e3fcd (diff)
downloadsssd-42084c0f500ba849393b0e87477cd1af397ddecb.tar.gz
sssd-42084c0f500ba849393b0e87477cd1af397ddecb.tar.bz2
sssd-42084c0f500ba849393b0e87477cd1af397ddecb.zip
Only check UPN if enterprise principals are not used
If enterprise principals are enabled (which is the default in the AD provider), then the returned UPN might be slightly different from the one SSSD constructs before attempting the login. This patch makes SSSD only check if the principal is the same when the enterprise principals are disabled.
-rw-r--r--src/providers/krb5/krb5_auth.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 5baea0bc..6d7494c3 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -840,6 +840,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
krb5_deltat renew_interval_delta;
char *renew_interval_str;
time_t renew_interval_time = 0;
+ bool use_enterprise_principal;
ret = handle_child_recv(subreq, pd, &buf, &len);
talloc_zfree(subreq);
@@ -908,9 +909,13 @@ static void krb5_auth_done(struct tevent_req *subreq)
}
}
+ use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts,
+ KRB5_USE_ENTERPRISE_PRINCIPAL);
+
/* Check if the cases of our upn are correct and update it if needed.
* Fail if the upn differs by more than just the case. */
if (res->correct_upn != NULL &&
+ use_enterprise_principal == false &&
strcmp(kr->upn, res->correct_upn) != 0) {
if (strcasecmp(kr->upn, res->correct_upn) == 0) {
talloc_free(kr->upn);