URL: https://github.com/freeipa/freeipa/pull/841 Author: sumit-bose Title: #841: ipa-kdb: use canonical principal in certauth plugin Action: opened
PR body: """ Currently the certauth plugin use the unmodified principal from the request to lookup the user. This might fail if e.g. enterprise principals are use. With this patch the canonical principal form the kdc entry is used. Resolves https://pagure.io/freeipa/issue/6993 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/841/head:pr841 git checkout pr841
From 9704cdbac06cea8365cc75d2759547daae56aad8 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Thu, 1 Jun 2017 18:17:53 +0200 Subject: [PATCH] ipa-kdb: use canonical principal in certauth plugin Currently the certauth plugin use the unmodified principal from the request to lookup the user. This might fail if e.g. enterprise principals are use. With this patch the canonical principal form the kdc entry is used. Resolves https://pagure.io/freeipa/issue/6993 --- daemons/ipa-kdb/ipa_kdb_certauth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c index a53a2ce4e7..0ee9d89c27 100644 --- a/daemons/ipa-kdb/ipa_kdb_certauth.c +++ b/daemons/ipa-kdb/ipa_kdb_certauth.c @@ -274,7 +274,7 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, } } - ret = krb5_unparse_name(context, princ, &principal); + ret = krb5_unparse_name(context, db_entry->princ, &principal); if (ret != 0) { ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH; goto done;
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org