diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-06-24 20:59:53 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-25 14:34:39 +0200 |
| commit | fa4a9c4afcc0c62a693034e21f33356e64735687 (patch) | |
| tree | 5f396acead970d06e8ebdd9da7d3397238736072 /src/providers/ipa | |
| parent | 48a53690ae35ef7e5690eb216c8e33140070f984 (diff) | |
| download | sssd-fa4a9c4afcc0c62a693034e21f33356e64735687.tar.gz sssd-fa4a9c4afcc0c62a693034e21f33356e64735687.tar.bz2 sssd-fa4a9c4afcc0c62a693034e21f33356e64735687.zip | |
krb5: do not send pac for IPA users from the local domain
So far we didn't send the PAC of IPA users to the PAC responder during
password authentication because group memberships for IPA users can be
retrieved efficiently with LDAP calls. Recently patches added PAC
support for the AD provider as well and removed the restriction for the
IPA users. This patch restores the original behaviour by introducing a
new flag in struct krb5_ctx which is only set for the IPA provider.
Additionally a different flag is renamed to make it's purpose more
clear.
Fixes https://fedorahosted.org/sssd/ticket/1995
Diffstat (limited to 'src/providers/ipa')
| -rw-r--r-- | src/providers/ipa/ipa_init.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index ece62bb8..77a51433 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -300,6 +300,7 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, goto done; } krb5_auth_ctx->service = ipa_options->service->krb5_service; + krb5_auth_ctx->is_ipa = true; ipa_options->auth_ctx->krb5_auth_ctx = krb5_auth_ctx; ret = ipa_get_auth_options(ipa_options, bectx->cdb, bectx->conf_path, |