summaryrefslogtreecommitdiff
path: root/server/providers/krb5
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2009-08-24 15:17:37 +0200
committerSimo Sorce <ssorce@redhat.com>2009-08-24 11:03:22 -0400
commitce0111fe4f1c5ea09a23c2be43fc1fcc1cdbdac8 (patch)
treedcea6a6071220dda84ee0e6abc6479780c9ce41d /server/providers/krb5
parent7bc48f82f587b148b821e34f57c1414e82a18276 (diff)
downloadsssd-ce0111fe4f1c5ea09a23c2be43fc1fcc1cdbdac8.tar.gz
sssd-ce0111fe4f1c5ea09a23c2be43fc1fcc1cdbdac8.tar.bz2
sssd-ce0111fe4f1c5ea09a23c2be43fc1fcc1cdbdac8.zip
some UPN handling fixes
- making the realm part upper case is now optional and done in the LDAP backend - using a username@realm UPN is now optional
Diffstat (limited to 'server/providers/krb5')
-rw-r--r--server/providers/krb5/krb5_auth.c34
-rw-r--r--server/providers/krb5/krb5_auth.h1
2 files changed, 12 insertions, 23 deletions
diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c
index 45bbe4cb..39bc1706 100644
--- a/server/providers/krb5/krb5_auth.c
+++ b/server/providers/krb5/krb5_auth.c
@@ -31,7 +31,6 @@
#include <unistd.h>
#include <fcntl.h>
#include <pwd.h>
-#include <ctype.h>
#include <security/pam_modules.h>
@@ -41,25 +40,6 @@
#include "krb5_plugin/sssd_krb5_locator_plugin.h"
#include "providers/krb5/krb5_auth.h"
-#define REALM_SEPARATOR '@'
-
-static void make_realm_upper_case(const char *upn)
-{
- char *c;
-
- c = strchr(upn, REALM_SEPARATOR);
- if (c == NULL) {
- DEBUG(9, ("No realm delimiter found in upn [%s].\n", upn));
- return;
- }
-
- while(*(++c) != '\0') {
- c[0] = toupper(*c);
- }
-
- return;
-}
-
static void fd_nonblocking(int fd) {
int flags;
@@ -452,11 +432,15 @@ static void get_user_upn_done(void *pvt, int err, struct ldb_result *res)
case 1:
upn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_UPN, NULL);
- if (upn == NULL) {
+ if (upn == NULL && krb5_ctx->try_simple_upn) {
/* NOTE: this is a hack, works only in some environments */
if (krb5_ctx->realm != NULL) {
upn = talloc_asprintf(be_req, "%s@%s", pd->user,
krb5_ctx->realm);
+ if (upn == NULL) {
+ DEBUG(1, ("failed to build simple upn.\n"));
+ }
+ DEBUG(9, ("Using simple UPN [%s].\n", upn));
}
}
break;
@@ -472,8 +456,6 @@ static void get_user_upn_done(void *pvt, int err, struct ldb_result *res)
goto failed;
}
- make_realm_upper_case(upn);
-
ret = krb5_setup(be_req, upn, &kr);
if (ret != EOK) {
DEBUG(1, ("krb5_setup failed.\n"));
@@ -612,6 +594,7 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, struct bet_ops **ops,
{
struct krb5_ctx *ctx = NULL;
char *value = NULL;
+ bool bool_value;
int ret;
struct tevent_signal *sige;
@@ -651,6 +634,11 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, struct bet_ops **ops,
}
ctx->realm = value;
+ ret = confdb_get_bool(bectx->cdb, ctx, bectx->conf_path,
+ "krb5try_simple_upn", false, &bool_value);
+ if (ret != EOK) goto fail;
+ ctx->try_simple_upn = bool_value;
+
/* TODO: set options */
sige = tevent_add_signal(bectx->ev, ctx, SIGCHLD, SA_SIGINFO,
diff --git a/server/providers/krb5/krb5_auth.h b/server/providers/krb5/krb5_auth.h
index d1c5c7c8..540f65fa 100644
--- a/server/providers/krb5/krb5_auth.h
+++ b/server/providers/krb5/krb5_auth.h
@@ -61,6 +61,7 @@ struct krb5_ctx {
char *kdcip;
char *realm;
+ bool try_simple_upn;
};
struct krb5_req {