On 12/16/2010 08:25 PM, Simo Sorce wrote:

+        (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) {
+        if((ldap_inst->krb5_principal == NULL)&&
+            (str_len(ldap_inst->krb5_principal) == 0)) {
+            if((ldap_inst->sasl_user == NULL)&&
+                (str_len(ldap_inst->sasl_user) == 0)) {
the above 2 statements seem wrong to me, the original one had:
        if ((cond 1) || (cond 2)) {
while you changed it into:
        if ((cond 1)&&  (cond 2)) {
This fails to do the check that is intended.
You are right. This is bug.

+                char hostname[255];
+                if(gethostname(hostname, 255) != 0) {
+                    log_error("SASL mech GSSAPI defined but
krb5_principal and sasl_user are empty. Could not get hostname");
+                    result = ISC_R_FAILURE;
+                    goto cleanup;
+                } else {
+                    str_sprintf(ldap_inst->krb5_principal, "dns/%s",
hostname);
This should probably be "DNS/%s", Kerberos is generally case sensitive
and t5he default for bind is to use the service name part in all caps.
ACK.

Best regards,

Zoran Pericic

---
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 
5eed8afba7a275a6ebb3a28c707639516ba9af41..d767571daa8e747833d598876541996280544916
 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -128,6 +128,7 @@ struct ldap_instance {
        ldap_auth_t             auth_method;
        ld_string_t             *bind_dn;
        ld_string_t             *password;
+       ld_string_t             *krb5_principal;
        ld_string_t             *sasl_mech;
        ld_string_t             *sasl_user;
        ld_string_t             *sasl_auth_name;
@@ -293,6 +294,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name,
                { "auth_method", default_string("none")             },
                { "bind_dn",   default_string("")           },
                { "password",  default_string("")           },
+               { "krb5_principal",    default_string("")   },
                { "sasl_mech",         default_string("GSSAPI")     },
                { "sasl_user",         default_string("")           },
                { "sasl_auth_name", default_string("")              },
@@ -330,6 +332,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name,
        CHECK(str_new(mctx,&ldap_inst->base));
        CHECK(str_new(mctx,&ldap_inst->bind_dn));
        CHECK(str_new(mctx,&ldap_inst->password));
+       CHECK(str_new(mctx,&ldap_inst->krb5_principal));
        CHECK(str_new(mctx,&ldap_inst->sasl_mech));
        CHECK(str_new(mctx,&ldap_inst->sasl_user));
        CHECK(str_new(mctx,&ldap_inst->sasl_auth_name));
@@ -346,6 +349,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name,
        ldap_settings[i++].target = auth_method_str;
        ldap_settings[i++].target = ldap_inst->bind_dn;
        ldap_settings[i++].target = ldap_inst->password;
+       ldap_settings[i++].target = ldap_inst->krb5_principal;
        ldap_settings[i++].target = ldap_inst->sasl_mech;
        ldap_settings[i++].target = ldap_inst->sasl_user;
        ldap_settings[i++].target = ldap_inst->sasl_auth_name;
@@ -381,12 +385,26 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name,

        /* check we have the right data when SASL/GSSAPI is selected */
        if ((ldap_inst->auth_method == AUTH_SASL)&&
-            (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) {
-               if ((ldap_inst->sasl_user == NULL) ||
-                   (str_len(ldap_inst->sasl_user) == 0)) {
-                       log_error("Sasl mech GSSAPI defined but sasl_user is 
empty");
-                       result = ISC_R_FAILURE;
-                       goto cleanup;
+               (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) {
+               if ((ldap_inst->krb5_principal == NULL) ||
+                       (str_len(ldap_inst->krb5_principal) == 0)) {
+                       if ((ldap_inst->sasl_user == NULL) ||
+                               (str_len(ldap_inst->sasl_user) == 0)) {
+                               char hostname[255];
+                               if (gethostname(hostname, 255) != 0) {
+                                       log_error("SASL mech GSSAPI defined but 
krb5_principal"
+                                               "and sasl_user are empty. Could not 
get hostname");
+                                       result = ISC_R_FAILURE;
+                                       goto cleanup;
+                               } else {
+                                       str_sprintf(ldap_inst->krb5_principal, 
"DNS/%s", hostname);
+                                       log_debug(2, "SASL mech GSSAPI defined but 
krb5_principal"
+                                               "and sasl_user are empty, using 
default %s",
+                                               
str_buf(ldap_inst->krb5_principal));
+                               }
+                       } else {
+                               str_copy(ldap_inst->krb5_principal, 
ldap_inst->sasl_user);
+                       }
                }
        }

@@ -447,6 +465,7 @@ destroy_ldap_instance(ldap_instance_t **ldap_instp)
        str_destroy(&ldap_inst->base);
        str_destroy(&ldap_inst->bind_dn);
        str_destroy(&ldap_inst->password);
+       str_destroy(&ldap_inst->krb5_principal);
        str_destroy(&ldap_inst->sasl_mech);
        str_destroy(&ldap_inst->sasl_user);
        str_destroy(&ldap_inst->sasl_auth_name);
@@ -1618,7 +1637,7 @@ ldap_reconnect(ldap_connection_t *ldap_conn)
                        isc_result_t result;
                        LOCK(&ldap_inst->kinit_lock);
                        result = get_krb5_tgt(ldap_inst->mctx,
-                                             str_buf(ldap_inst->sasl_user),
+                                             
str_buf(ldap_inst->krb5_principal),
                                              str_buf(ldap_inst->krb5_keytab));
                        UNLOCK(&ldap_inst->kinit_lock);
                        if (result != ISC_R_SUCCESS)

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to