summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf1
-rw-r--r--src/config/etc/sssd.api.d/sssd-ldap.conf1
-rw-r--r--src/man/sssd-ldap.5.xml15
-rw-r--r--src/providers/ipa/ipa_common.c1
-rw-r--r--src/providers/ipa/ipa_common.h2
-rw-r--r--src/providers/ldap/ldap_child.c8
-rw-r--r--src/providers/ldap/ldap_common.c1
-rw-r--r--src/providers/ldap/sdap.h1
-rw-r--r--src/providers/ldap/sdap_async.h1
-rw-r--r--src/providers/ldap/sdap_async_connection.c15
10 files changed, 45 insertions, 1 deletions
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index b5264bac..9ea45285 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -27,6 +27,7 @@ krb5_server = str, None, false
krb5_realm = str, None, false
krb5_auth_timeout = int, None, false
krb5_kpasswd = str, None, false
+krb5_canonicalize = bool, None, false
ldap_krb5_keytab = str, None, false
ldap_krb5_init_creds = bool, None, false
ldap_entry_usn = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 78a7fa34..f76ce19a 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -19,6 +19,7 @@ ldap_sasl_authid = str, None, false
krb5_kdcip = str, None, false
krb5_server = str, None, false
krb5_realm = str, None, false
+krb5_canonicalize = bool, None, false
ldap_krb5_keytab = str, None, false
ldap_krb5_init_creds = bool, None, false
ldap_entry_usn = str, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 7cc20ce6..763ccca2 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1235,6 +1235,21 @@
</varlistentry>
<varlistentry>
+ <term>krb5_canonicalize (boolean)</term>
+ <listitem>
+ <para>
+ Specifies if the host pricipal should be canonicalized
+ when connecting to LDAP server. This feature is
+ available with MIT Kerberos >= 1.7
+ </para>
+
+ <para>
+ Default: false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_pwd_policy (string)</term>
<listitem>
<para>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index b68c72b4..8f9d5d77 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -78,6 +78,7 @@ struct dp_option ipa_def_ldap_opts[] = {
/* use the same parm name as the krb5 module so we set it only once */
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING },
{ "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 20074b45..40c5e532 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -35,7 +35,7 @@ struct ipa_service {
/* the following defines are used to keep track of the options in the ldap
* module, so that if they change and ipa is not updated correspondingly
* this will trigger a runtime abort error */
-#define IPA_OPTS_BASIC_TEST 52
+#define IPA_OPTS_BASIC_TEST 53
/* the following define is used to keep track of the options in the krb5
* module, so that if they change and ipa is not updated correspondingly
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index b0051fa9..02c7e557 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -139,6 +139,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
char *realm_name = NULL;
char *full_princ = NULL;
char *default_realm = NULL;
+ char *tmp_str = NULL;
krb5_context context = NULL;
krb5_keytab keytab = NULL;
krb5_ccache ccache = NULL;
@@ -147,6 +148,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
krb5_get_init_creds_opt options;
krb5_error_code krberr;
krb5_timestamp kdc_time_offset;
+ int canonicalize = 0;
int kdc_time_offset_usec;
int ret;
@@ -253,6 +255,12 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
krb5_get_init_creds_opt_set_proxiable(&options, 0);
krb5_get_init_creds_opt_set_tkt_life(&options, lifetime);
+ tmp_str = getenv("KRB5_CANONICALIZE");
+ if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
+ canonicalize = 1;
+ }
+ sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
+
krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
keytab, 0, NULL, &options);
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 8f5b8ac4..9e2c2a4a 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -69,6 +69,7 @@ struct dp_option default_basic_opts[] = {
/* use the same parm name as the krb5 module so we set it only once */
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING },
{ "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 1ea57082..b32560a8 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -183,6 +183,7 @@ enum sdap_basic_opt {
SDAP_KRB5_KINIT,
SDAP_KRB5_KDC,
SDAP_KRB5_REALM,
+ SDAP_KRB5_CANONICALIZE,
SDAP_PWD_POLICY,
SDAP_REFERRALS,
SDAP_ACCOUNT_CACHE_EXPIRATION,
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index e628c7da..5da2cff4 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -92,6 +92,7 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx,
const char *keytab,
const char *principal,
const char *realm,
+ bool canonicalize,
int lifetime);
int sdap_kinit_recv(struct tevent_req *req,
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index c69b9bce..076e7ee3 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -784,6 +784,7 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx,
const char *keytab,
const char *principal,
const char *realm,
+ bool canonicalize,
int lifetime)
{
struct tevent_req *req;
@@ -821,6 +822,18 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx,
}
}
+ if (canonicalize) {
+ ret = setenv("KRB5_CANONICALIZE", "true", 1);
+ } else {
+ ret = setenv("KRB5_CANONICALIZE", "false", 1);
+ }
+ if (ret == -1) {
+ DEBUG(2, ("Failed to set KRB5_CANONICALIZE to %s\n",
+ ((canonicalize)?"true":"false")));
+ talloc_free(req);
+ return NULL;
+ }
+
subreq = sdap_kinit_next_kdc(req);
if (!subreq) {
talloc_free(req);
@@ -1400,6 +1413,8 @@ static void sdap_cli_kinit_step(struct tevent_req *req)
dp_opt_get_string(state->opts->basic,
SDAP_SASL_AUTHID),
realm,
+ dp_opt_get_bool(state->opts->basic,
+ SDAP_KRB5_CANONICALIZE),
dp_opt_get_int(state->opts->basic,
SDAP_KRB5_TICKET_LIFETIME));
if (!subreq) {