diff options
Diffstat (limited to 'src/providers/ldap')
-rw-r--r-- | src/providers/ldap/ldap_child.c | 5 | ||||
-rw-r--r-- | src/providers/ldap/ldap_common.c | 1 | ||||
-rw-r--r-- | src/providers/ldap/sdap.h | 1 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_connection.c | 9 | ||||
-rw-r--r-- | src/providers/ldap/sdap_child_helpers.c | 9 |
5 files changed, 19 insertions, 6 deletions
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index f4be1857..fb8dd806 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -196,8 +196,9 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, } hostname[511] = '\0'; - full_princ = talloc_asprintf(memctx, "host/%s@%s", - hostname, realm_name); + ret = select_principal_from_keytab(memctx, hostname, realm_name, + keytab_name, &full_princ, NULL, NULL); + if (ret) goto done; } if (!full_princ) { krberr = KRB5KRB_ERR_GENERIC; diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 39e9b71d..11c4491f 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -63,6 +63,7 @@ struct dp_option default_basic_opts[] = { { "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_sasl_mech", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, /* use the same parm name as the krb5 module so we set it only once */ diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index fce95acc..c06b8a3b 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -172,6 +172,7 @@ enum sdap_basic_opt { SDAP_ID_TLS, SDAP_SASL_MECH, SDAP_SASL_AUTHID, + SDAP_SASL_REALM, SDAP_KRB5_KEYTAB, SDAP_KRB5_KINIT, SDAP_KRB5_KDC, diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index b295c56e..500e5f88 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -1318,6 +1318,12 @@ static void sdap_cli_kinit_step(struct tevent_req *req) struct sdap_cli_connect_state *state = tevent_req_data(req, struct sdap_cli_connect_state); struct tevent_req *subreq; + const char *realm; + + realm = dp_opt_get_string(state->opts->basic, SDAP_SASL_REALM); + if (!realm) { + realm = dp_opt_get_string(state->opts->basic, SDAP_KRB5_REALM); + } subreq = sdap_kinit_send(state, state->ev, state->be, @@ -1329,8 +1335,7 @@ static void sdap_cli_kinit_step(struct tevent_req *req) SDAP_KRB5_KEYTAB), dp_opt_get_string(state->opts->basic, SDAP_SASL_AUTHID), - dp_opt_get_string(state->opts->basic, - SDAP_KRB5_REALM), + realm, dp_opt_get_int(state->opts->basic, SDAP_KRB5_TICKET_LIFETIME)); if (!subreq) { diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c index 5a15e661..d0f6caeb 100644 --- a/src/providers/ldap/sdap_child_helpers.c +++ b/src/providers/ldap/sdap_child_helpers.c @@ -458,6 +458,12 @@ int setup_child(struct sdap_id_ctx *ctx) const char *mech; unsigned v; FILE *debug_filep; + const char *realm; + + realm = dp_opt_get_string(ctx->opts->basic, SDAP_SASL_REALM); + if (!realm) { + realm = dp_opt_get_string(ctx->opts->basic, SDAP_KRB5_REALM); + } mech = dp_opt_get_string(ctx->opts->basic, SDAP_SASL_MECH); @@ -468,8 +474,7 @@ int setup_child(struct sdap_id_ctx *ctx) if (mech && (strcasecmp(mech, "GSSAPI") == 0)) { ret = sss_krb5_verify_keytab(dp_opt_get_string(ctx->opts->basic, SDAP_SASL_AUTHID), - dp_opt_get_string(ctx->opts->basic, - SDAP_KRB5_REALM), + realm, dp_opt_get_string(ctx->opts->basic, SDAP_KRB5_KEYTAB)); |