[Freeipa-devel] [PATCH] #3901

Tue, 10 Sep 2013 14:31:27 -0700 

I think the attached (untested) patch should solve the issue.

Is it sufficient or do we want to change framework code somehow ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

>From 2def215b89343c716dcc88d7f7856734aef2470f Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Tue, 10 Sep 2013 14:19:35 -0400
Subject: [PATCH] Add krbticketPolicyAux objectclass if needed

When modifying ticket flags add the objectclass to the object if it is missing.
---
 daemons/ipa-kdb/ipa_kdb.h            |  1 +
 daemons/ipa-kdb/ipa_kdb_principals.c | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index f4d35554cf75c7f33bd61250b7b1ce9e5a16aeb1..56fb176327579e2f09057b4b29d305b563f844e7 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -117,6 +117,7 @@ struct ipadb_e_data {
     struct ipapwd_policy *pol;
     time_t last_admin_unlock;
     char **authz_data;
+    bool has_tktpolaux;
 };
 
 struct ipadb_context *ipadb_get_context(krb5_context kcontext);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 38059d29f36bca387b7ba95250d44259c1681cda..4ad5d56f02965dcb90315e62710e01999ff0ffee 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -468,6 +468,17 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
         ied->ipa_user = true;
     }
 
+    /* check if it has the krbTicketPolicyAux objectclass */
+    ret = ipadb_ldap_attr_has_value(lcontext, lentry,
+                                    "objectClass", "krbTicketPolicyAux");
+    if (ret != 0 && ret != ENOENT) {
+        kerr = ret;
+        goto done;
+    }
+    if (ret == 0) {
+        ied->has_tktpolaux = true;
+    }
+
     ret = ipadb_ldap_attr_to_str(lcontext, lentry,
                                  "krbPwdPolicyReference", &restring);
     switch (ret) {
@@ -1411,6 +1422,28 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
 
     /* KADM5_ATTRIBUTES */
     if (entry->mask & KMASK_ATTRIBUTES) {
+        /* if the object does not have the krbTicketPolicyAux class
+         * we need to add it or this will fail, only for modifications.
+         * We always add this objectclass by default when doing an add
+         * from scratch. */
+        if ((mod_op == LDAP_MOD_REPLACE) && entry->e_data) {
+            struct ipadb_e_data *ied;
+
+            ied = (struct ipadb_e_data *)entry->e_data;
+            if (ied->magic != IPA_E_DATA_MAGIC) {
+                kerr = EINVAL;
+                goto done;
+            }
+
+            if (!ied->has_tktpolaux) {
+                kerr = ipadb_get_ldap_mod_str(imods, "objectclass",
+                                              "krbTicketPolicyAux", mod_op);
+                if (kerr) {
+                    goto done;
+                }
+            }
+        }
+
         kerr = ipadb_get_ldap_mod_int(imods,
                                       "krbTicketFlags",
                                       (int)entry->attributes,
-- 
1.8.3.1


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to