summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/config/SSSDConfig/__init__.py.in1
-rwxr-xr-xsrc/config/SSSDConfigTest.py9
-rw-r--r--src/config/etc/sssd.api.d/sssd-ad.conf1
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf1
-rw-r--r--src/config/etc/sssd.api.d/sssd-krb5.conf1
-rw-r--r--src/config/etc/sssd.api.d/sssd-ldap.conf1
-rw-r--r--src/man/sssd-krb5.5.xml28
-rw-r--r--src/man/sssd-ldap.5.xml28
-rw-r--r--src/providers/ad/ad_common.c39
-rw-r--r--src/providers/ad/ad_opts.h2
-rw-r--r--src/providers/ipa/ipa_common.c35
-rw-r--r--src/providers/ipa/ipa_opts.h2
-rw-r--r--src/providers/krb5/krb5_common.c30
-rw-r--r--src/providers/krb5/krb5_common.h6
-rw-r--r--src/providers/krb5/krb5_init.c17
-rw-r--r--src/providers/krb5/krb5_opts.h1
-rw-r--r--src/providers/ldap/ldap_common.c8
-rw-r--r--src/providers/ldap/ldap_opts.h1
-rw-r--r--src/providers/ldap/sdap.h1
19 files changed, 163 insertions, 49 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index b6e722fc..4d7629e1 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -165,6 +165,7 @@ option_strings = {
'krb5_backup_server' : _('Kerberos backup server address'),
'krb5_realm' : _('Kerberos realm'),
'krb5_auth_timeout' : _('Authentication timeout'),
+ 'krb5_use_kdcinfo' : _('Whether to create kdcinfo files'),
# [provider/krb5/auth]
'krb5_ccachedir' : _('Directory to store credential caches'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index f44fac72..ca344ad4 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -614,7 +614,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'krb5_use_fast',
'krb5_fast_principal',
'krb5_canonicalize',
- 'krb5_use_enterprise_principal'])
+ 'krb5_use_enterprise_principal',
+ 'krb5_use_kdcinfo'])
options = domain.list_options()
@@ -773,7 +774,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'krb5_use_fast',
'krb5_fast_principal',
'krb5_canonicalize',
- 'krb5_use_enterprise_principal']
+ 'krb5_use_enterprise_principal',
+ 'krb5_use_kdcinfo']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
@@ -967,7 +969,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'krb5_use_fast',
'krb5_fast_principal',
'krb5_canonicalize',
- 'krb5_use_enterprise_principal'])
+ 'krb5_use_enterprise_principal',
+ 'krb5_use_kdcinfo'])
options = domain.list_options()
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 3be25e8d..120c8275 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -29,6 +29,7 @@ krb5_backup_server = str, None, false
krb5_realm = str, None, false
krb5_auth_timeout = int, None, false
krb5_canonicalize = bool, None, false
+krb5_use_kdcinfo = bool, None, false
ldap_krb5_keytab = str, None, false
ldap_krb5_init_creds = bool, None, false
ldap_entry_usn = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index e6f1bb0a..8a7e75f2 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -35,6 +35,7 @@ krb5_server = str, None, false
krb5_backup_server = str, None, false
krb5_realm = str, None, false
krb5_auth_timeout = int, None, false
+krb5_use_kdcinfo = bool, None, false
krb5_kpasswd = str, None, false
krb5_backup_kpasswd = str, None, false
krb5_canonicalize = bool, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf b/src/config/etc/sssd.api.d/sssd-krb5.conf
index 89d16d77..e65ed01b 100644
--- a/src/config/etc/sssd.api.d/sssd-krb5.conf
+++ b/src/config/etc/sssd.api.d/sssd-krb5.conf
@@ -4,6 +4,7 @@ krb5_server = str, None, false
krb5_backup_server = str, None, false
krb5_realm = str, None, true
krb5_auth_timeout = int, None, false
+krb5_use_kdcinfo = bool, None, false
krb5_kpasswd = str, None, false
krb5_backup_kpasswd = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 14e979da..870cf20f 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -21,6 +21,7 @@ krb5_kdcip = str, None, false
krb5_server = str, None, false
krb5_realm = str, None, false
krb5_canonicalize = bool, None, false
+krb5_use_kdcinfo = bool, None, false
ldap_krb5_keytab = str, None, false
ldap_krb5_init_creds = bool, None, false
ldap_entry_usn = str, None, false
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index 731d7725..906aee09 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -452,6 +452,34 @@
</varlistentry>
<varlistentry>
+ <term>krb5_use_kdcinfo (boolean)</term>
+ <listitem>
+ <para>
+ Specifies if the SSSD should be instructing the Kerberos
+ libraries what realm and which KDCs to use. This option
+ is on by default, if you disable it, you need to configure
+ the Kerberos library using the
+ <citerefentry>
+ <refentrytitle>krb5.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ configuration file.
+ </para>
+ <para>
+ See the
+ <citerefentry>
+ <refentrytitle>sssd_krb5_locator_plugin</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ manual page for more information on the locator plugin.
+ </para>
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>krb5_use_enterprise_principal (boolean)</term>
<listitem>
<para>
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 97b5fdc5..9cd594c7 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1589,6 +1589,34 @@
</varlistentry>
<varlistentry>
+ <term>krb5_use_kdcinfo (boolean)</term>
+ <listitem>
+ <para>
+ Specifies if the SSSD should be instructing the Kerberos
+ libraries what realm and which KDCs to use. This option
+ is on by default, if you disable it, you need to configure
+ the Kerberos library using the
+ <citerefentry>
+ <refentrytitle>krb5.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ configuration file.
+ </para>
+ <para>
+ See the
+ <citerefentry>
+ <refentrytitle>sssd_krb5_locator_plugin</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ manual page for more information on the locator plugin.
+ </para>
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_pwd_policy (string)</term>
<listitem>
<para>
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index ea124d96..1aad85de 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -531,21 +531,23 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
goto done;
}
- /* Write krb5 info files */
- safe_address = sss_escape_ip_address(tmp_ctx,
- srvaddr->family,
- address);
- if (safe_address == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("sss_escape_ip_address failed.\n"));
- ret = ENOMEM;
- goto done;
- }
+ if (service->krb5_service->write_kdcinfo) {
+ /* Write krb5 info files */
+ safe_address = sss_escape_ip_address(tmp_ctx,
+ srvaddr->family,
+ address);
+ if (safe_address == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("sss_escape_ip_address failed.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
- ret = write_krb5info_file(service->krb5_service->realm, safe_address,
- SSS_KRB5KDC_FO_SRV);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("write_krb5info_file failed, authentication might fail.\n"));
+ ret = write_krb5info_file(service->krb5_service->realm, safe_address,
+ SSS_KRB5KDC_FO_SRV);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("write_krb5info_file failed, authentication might fail.\n"));
+ }
}
ret = EOK;
@@ -846,6 +848,15 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
krb5_options[KRB5_REALM].opt_name,
krb5_realm));
+ /* Set flag that controls whether we want to write the
+ * kdcinfo files at all
+ */
+ ad_opts->service->krb5_service->write_kdcinfo = \
+ dp_opt_get_bool(krb5_options, KRB5_USE_KDCINFO);
+ DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n",
+ ad_opts->auth[KRB5_USE_KDCINFO].opt_name,
+ ad_opts->service->krb5_service->write_kdcinfo ? "true" : "false"));
+
*_opts = talloc_steal(mem_ctx, krb5_options);
ret = EOK;
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 218614dc..ba03c232 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -88,6 +88,7 @@ struct dp_option ad_def_ldap_opts[] = {
{ "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING },
{ "ldap_referrals", DP_OPT_BOOL, BOOL_FALSE, BOOL_TRUE },
{ "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
@@ -145,6 +146,7 @@ struct dp_option ad_def_krb5_opts[] = {
{ "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 76da6c1e..67137409 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -664,6 +664,15 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts,
dp_opt_get_string(ipa_opts->auth, KRB5_REALM)));
}
+ /* Set flag that controls whether we want to write the
+ * kdcinfo files at all
+ */
+ ipa_opts->service->krb5_service->write_kdcinfo = \
+ dp_opt_get_bool(ipa_opts->auth, KRB5_USE_KDCINFO);
+ DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n",
+ ipa_opts->auth[KRB5_USE_KDCINFO].opt_name,
+ ipa_opts->service->krb5_service->write_kdcinfo ? "true" : "false"));
+
*_opts = ipa_opts->auth;
ret = EOK;
@@ -743,19 +752,21 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
talloc_zfree(service->sdap->sockaddr);
service->sdap->sockaddr = talloc_steal(service, sockaddr);
- safe_address = sss_escape_ip_address(tmp_ctx,
- srvaddr->family,
- address);
- if (safe_address == NULL) {
- DEBUG(1, ("sss_escape_ip_address failed.\n"));
- talloc_free(tmp_ctx);
- return;
- }
+ if (service->krb5_service->write_kdcinfo) {
+ safe_address = sss_escape_ip_address(tmp_ctx,
+ srvaddr->family,
+ address);
+ if (safe_address == NULL) {
+ DEBUG(1, ("sss_escape_ip_address failed.\n"));
+ talloc_free(tmp_ctx);
+ return;
+ }
- ret = write_krb5info_file(service->krb5_service->realm, safe_address,
- SSS_KRB5KDC_FO_SRV);
- if (ret != EOK) {
- DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n"));
+ ret = write_krb5info_file(service->krb5_service->realm, safe_address,
+ SSS_KRB5KDC_FO_SRV);
+ if (ret != EOK) {
+ DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n"));
+ }
}
talloc_free(tmp_ctx);
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 4dfa72db..fe81ed11 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -112,6 +112,7 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING },
{ "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
@@ -274,6 +275,7 @@ struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index e60e6e0e..9db14b8a 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -452,18 +452,20 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
return;
}
- safe_address = talloc_asprintf_append(safe_address, ":%d",
- fo_get_server_port(server));
- if (safe_address == NULL) {
- DEBUG(1, ("talloc_asprintf_append failed.\n"));
- talloc_free(tmp_ctx);
- return;
- }
+ if (krb5_service->write_kdcinfo) {
+ safe_address = talloc_asprintf_append(safe_address, ":%d",
+ fo_get_server_port(server));
+ if (safe_address == NULL) {
+ DEBUG(1, ("talloc_asprintf_append failed.\n"));
+ talloc_free(tmp_ctx);
+ return;
+ }
- ret = write_krb5info_file(krb5_service->realm, safe_address,
- krb5_service->name);
- if (ret != EOK) {
- DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n"));
+ ret = write_krb5info_file(krb5_service->realm, safe_address,
+ krb5_service->name);
+ if (ret != EOK) {
+ DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n"));
+ }
}
talloc_free(tmp_ctx);
@@ -620,7 +622,9 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
const char *service_name,
const char *primary_servers,
const char *backup_servers,
- const char *realm, struct krb5_service **_service)
+ const char *realm,
+ bool use_kdcinfo,
+ struct krb5_service **_service)
{
TALLOC_CTX *tmp_ctx;
struct krb5_service *service;
@@ -655,6 +659,8 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
goto done;
}
+ service->write_kdcinfo = use_kdcinfo;
+
if (!primary_servers) {
DEBUG(SSSDBG_CONF_SETTINGS,
("No primary servers defined, using service discovery\n"));
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 85049360..eb563888 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -66,6 +66,7 @@ enum krb5_opts {
KRB5_FAST_PRINCIPAL,
KRB5_CANONICALIZE,
KRB5_USE_ENTERPRISE_PRINCIPAL,
+ KRB5_USE_KDCINFO,
KRB5_OPTS
};
@@ -82,6 +83,7 @@ struct tgt_times {
struct krb5_service {
char *name;
char *realm;
+ bool write_kdcinfo;
};
struct fo_service;
@@ -153,7 +155,9 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
const char *service_name,
const char *primary_servers,
const char *backup_servers,
- const char *realm, struct krb5_service **_service);
+ const char *realm,
+ bool use_kdcinfo,
+ struct krb5_service **_service);
void remove_krb5_info_files_callback(void *pvt);
diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c
index 1821d5b3..c6ec496e 100644
--- a/src/providers/krb5/krb5_init.c
+++ b/src/providers/krb5/krb5_init.c
@@ -108,8 +108,12 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
return EINVAL;
}
- ret = krb5_service_init(ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers,
- krb5_backup_servers, krb5_realm, &ctx->service);
+ ret = krb5_service_init(ctx, bectx,
+ SSS_KRB5KDC_FO_SRV, krb5_servers,
+ krb5_backup_servers, krb5_realm,
+ dp_opt_get_bool(krb5_options->opts,
+ KRB5_USE_KDCINFO),
+ &ctx->service);
if (ret != EOK) {
DEBUG(0, ("Failed to init KRB5 failover service!\n"));
return ret;
@@ -130,9 +134,12 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
"will use KDC for pasword change operations!\n"));
ctx->kpasswd_service = NULL;
} else {
- ret = krb5_service_init(ctx, bectx, SSS_KRB5KPASSWD_FO_SRV,
- krb5_kpasswd_servers, krb5_backup_kpasswd_servers,
- krb5_realm, &ctx->kpasswd_service);
+ ret = krb5_service_init(ctx, bectx,
+ SSS_KRB5KPASSWD_FO_SRV, krb5_kpasswd_servers,
+ krb5_backup_kpasswd_servers, krb5_realm,
+ dp_opt_get_bool(krb5_options->opts,
+ KRB5_USE_KDCINFO),
+ &ctx->kpasswd_service);
if (ret != EOK) {
DEBUG(0, ("Failed to init KRB5KPASSWD failover service!\n"));
return ret;
diff --git a/src/providers/krb5/krb5_opts.h b/src/providers/krb5/krb5_opts.h
index c8e64782..400b7e33 100644
--- a/src/providers/krb5/krb5_opts.h
+++ b/src/providers/krb5/krb5_opts.h
@@ -44,6 +44,7 @@ struct dp_option default_krb5_opts[] = {
{ "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index fd6f05de..96edd336 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -1269,8 +1269,12 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx,
}
}
- ret = krb5_service_init(mem_ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers,
- krb5_backup_servers, krb5_realm, &service);
+ ret = krb5_service_init(mem_ctx, bectx,
+ SSS_KRB5KDC_FO_SRV, krb5_servers,
+ krb5_backup_servers, krb5_realm,
+ dp_opt_get_bool(opts,
+ SDAP_KRB5_USE_KDCINFO),
+ &service);
if (ret != EOK) {
DEBUG(0, ("Failed to init KRB5 failover service!\n"));
goto done;
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 807716c1..6857d4ca 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -79,6 +79,7 @@ struct dp_option default_basic_opts[] = {
{ "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING },
{ "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index f77636b3..6f10efa4 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -186,6 +186,7 @@ enum sdap_basic_opt {
SDAP_KRB5_BACKUP_KDC,
SDAP_KRB5_REALM,
SDAP_KRB5_CANONICALIZE,
+ SDAP_KRB5_USE_KDCINFO,
SDAP_PWD_POLICY,
SDAP_REFERRALS,
SDAP_ACCOUNT_CACHE_EXPIRATION,