I think the attached (untested) patch should solve the issue. Is it sufficient or do we want to change framework code somehow ?
Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 2def215b89343c716dcc88d7f7856734aef2470f Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Tue, 10 Sep 2013 14:19:35 -0400 Subject: [PATCH] Add krbticketPolicyAux objectclass if needed When modifying ticket flags add the objectclass to the object if it is missing. --- daemons/ipa-kdb/ipa_kdb.h | 1 + daemons/ipa-kdb/ipa_kdb_principals.c | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index f4d35554cf75c7f33bd61250b7b1ce9e5a16aeb1..56fb176327579e2f09057b4b29d305b563f844e7 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -117,6 +117,7 @@ struct ipadb_e_data { struct ipapwd_policy *pol; time_t last_admin_unlock; char **authz_data; + bool has_tktpolaux; }; struct ipadb_context *ipadb_get_context(krb5_context kcontext); diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 38059d29f36bca387b7ba95250d44259c1681cda..4ad5d56f02965dcb90315e62710e01999ff0ffee 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -468,6 +468,17 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, ied->ipa_user = true; } + /* check if it has the krbTicketPolicyAux objectclass */ + ret = ipadb_ldap_attr_has_value(lcontext, lentry, + "objectClass", "krbTicketPolicyAux"); + if (ret != 0 && ret != ENOENT) { + kerr = ret; + goto done; + } + if (ret == 0) { + ied->has_tktpolaux = true; + } + ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbPwdPolicyReference", &restring); switch (ret) { @@ -1411,6 +1422,28 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext, /* KADM5_ATTRIBUTES */ if (entry->mask & KMASK_ATTRIBUTES) { + /* if the object does not have the krbTicketPolicyAux class + * we need to add it or this will fail, only for modifications. + * We always add this objectclass by default when doing an add + * from scratch. */ + if ((mod_op == LDAP_MOD_REPLACE) && entry->e_data) { + struct ipadb_e_data *ied; + + ied = (struct ipadb_e_data *)entry->e_data; + if (ied->magic != IPA_E_DATA_MAGIC) { + kerr = EINVAL; + goto done; + } + + if (!ied->has_tktpolaux) { + kerr = ipadb_get_ldap_mod_str(imods, "objectclass", + "krbTicketPolicyAux", mod_op); + if (kerr) { + goto done; + } + } + } + kerr = ipadb_get_ldap_mod_int(imods, "krbTicketFlags", (int)entry->attributes, -- 1.8.3.1
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel