From ed80a7f8ff76089bdcfae7007dbdef42d05e2cc8 Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Tue, 1 Nov 2011 10:19:04 -0400 Subject: Support to request canonicalization in LDAP/IPA provider https://fedorahosted.org/sssd/ticket/957 --- src/config/etc/sssd.api.d/sssd-ipa.conf | 1 + src/config/etc/sssd.api.d/sssd-ldap.conf | 1 + src/man/sssd-ldap.5.xml | 15 +++++++++++++++ src/providers/ipa/ipa_common.c | 1 + src/providers/ipa/ipa_common.h | 2 +- src/providers/ldap/ldap_child.c | 8 ++++++++ src/providers/ldap/ldap_common.c | 1 + src/providers/ldap/sdap.h | 1 + src/providers/ldap/sdap_async.h | 1 + src/providers/ldap/sdap_async_connection.c | 15 +++++++++++++++ 10 files changed, 45 insertions(+), 1 deletion(-) diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index b5264bac..9ea45285 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -27,6 +27,7 @@ krb5_server = str, None, false krb5_realm = str, None, false krb5_auth_timeout = int, None, false krb5_kpasswd = str, None, false +krb5_canonicalize = bool, None, false ldap_krb5_keytab = str, None, false ldap_krb5_init_creds = bool, None, false ldap_entry_usn = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 78a7fa34..f76ce19a 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -19,6 +19,7 @@ ldap_sasl_authid = str, None, false krb5_kdcip = str, None, false krb5_server = str, None, false krb5_realm = str, None, false +krb5_canonicalize = bool, None, false ldap_krb5_keytab = str, None, false ldap_krb5_init_creds = bool, None, false ldap_entry_usn = str, None, false diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 7cc20ce6..763ccca2 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1234,6 +1234,21 @@ + + krb5_canonicalize (boolean) + + + Specifies if the host pricipal should be canonicalized + when connecting to LDAP server. This feature is + available with MIT Kerberos >= 1.7 + + + + Default: false + + + + ldap_pwd_policy (string) diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index b68c72b4..8f9d5d77 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -78,6 +78,7 @@ struct dp_option ipa_def_ldap_opts[] = { /* use the same parm name as the krb5 module so we set it only once */ { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 20074b45..40c5e532 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -35,7 +35,7 @@ struct ipa_service { /* the following defines are used to keep track of the options in the ldap * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ -#define IPA_OPTS_BASIC_TEST 52 +#define IPA_OPTS_BASIC_TEST 53 /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index b0051fa9..02c7e557 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -139,6 +139,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, char *realm_name = NULL; char *full_princ = NULL; char *default_realm = NULL; + char *tmp_str = NULL; krb5_context context = NULL; krb5_keytab keytab = NULL; krb5_ccache ccache = NULL; @@ -147,6 +148,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, krb5_get_init_creds_opt options; krb5_error_code krberr; krb5_timestamp kdc_time_offset; + int canonicalize = 0; int kdc_time_offset_usec; int ret; @@ -253,6 +255,12 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, krb5_get_init_creds_opt_set_proxiable(&options, 0); krb5_get_init_creds_opt_set_tkt_life(&options, lifetime); + tmp_str = getenv("KRB5_CANONICALIZE"); + if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) { + canonicalize = 1; + } + sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize); + krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc, keytab, 0, NULL, &options); diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 8f5b8ac4..9e2c2a4a 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -69,6 +69,7 @@ struct dp_option default_basic_opts[] = { /* use the same parm name as the krb5 module so we set it only once */ { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 1ea57082..b32560a8 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -183,6 +183,7 @@ enum sdap_basic_opt { SDAP_KRB5_KINIT, SDAP_KRB5_KDC, SDAP_KRB5_REALM, + SDAP_KRB5_CANONICALIZE, SDAP_PWD_POLICY, SDAP_REFERRALS, SDAP_ACCOUNT_CACHE_EXPIRATION, diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index e628c7da..5da2cff4 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -92,6 +92,7 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx, const char *keytab, const char *principal, const char *realm, + bool canonicalize, int lifetime); int sdap_kinit_recv(struct tevent_req *req, diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index c69b9bce..076e7ee3 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -784,6 +784,7 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx, const char *keytab, const char *principal, const char *realm, + bool canonicalize, int lifetime) { struct tevent_req *req; @@ -821,6 +822,18 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx, } } + if (canonicalize) { + ret = setenv("KRB5_CANONICALIZE", "true", 1); + } else { + ret = setenv("KRB5_CANONICALIZE", "false", 1); + } + if (ret == -1) { + DEBUG(2, ("Failed to set KRB5_CANONICALIZE to %s\n", + ((canonicalize)?"true":"false"))); + talloc_free(req); + return NULL; + } + subreq = sdap_kinit_next_kdc(req); if (!subreq) { talloc_free(req); @@ -1400,6 +1413,8 @@ static void sdap_cli_kinit_step(struct tevent_req *req) dp_opt_get_string(state->opts->basic, SDAP_SASL_AUTHID), realm, + dp_opt_get_bool(state->opts->basic, + SDAP_KRB5_CANONICALIZE), dp_opt_get_int(state->opts->basic, SDAP_KRB5_TICKET_LIFETIME)); if (!subreq) { -- cgit