Work-in-progress patchset for https://fedorahosted.org/freeipa/ticket/3864

I didn't even format the patches according to guidelines since I will certainly get many comments from Simo/Alexander and do a lot of reworking. But I hope I'm at least on a right track.

--
Martin^3 Babinsky
From 913bc484c1d00d62a5ab7f31546fec87cc1b8c43 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 18:01:57 +0200
Subject: [PATCH 8/8] add case-insensitive matching rule to krbprincipalname
 index

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 install/share/indices.ldif        |  2 ++
 install/updates/20-indices.update | 10 ++++++++++
 2 files changed, 12 insertions(+)

diff --git a/install/share/indices.ldif b/install/share/indices.ldif
index 8c4913b569eb8be740090e1665349608be4ae932..081c15e48094f1df8cf6b8613730e6c56f9c16b9 100644
--- a/install/share/indices.ldif
+++ b/install/share/indices.ldif
@@ -6,6 +6,8 @@ cn:krbPrincipalName
 nsSystemIndex:false
 nsIndexType:eq
 nsIndexType:sub
+nsMatchingRule: caseIgnoreIA5Match
+nsMatchingRule: caseExactIA5Match
 
 dn: cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index 9c12e0cb804066feaa7e9e3f93a06018a8d43ddd..f39310a304d37614526a425e43751bc492fa7c67 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -231,3 +231,13 @@ default:ObjectClass: top
 default:ObjectClass: nsIndex
 only:nsIndexType: eq
 only:nsIndexType: pres
+
+dn: cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: krbPrincipalName
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+default:nsSystemIndex: false
+only: nsMatchingRule: caseIgnoreIA5Match
+only: nsMatchingRule: caseExactIA5Match
+only:nsIndexType: eq
+only:nsIndexType: sub
-- 
2.4.3

From 9a838dba6713d1b5eef73fd6c9dee210f1c86458 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 17:52:40 +0200
Subject: [PATCH 7/8] always set krbcanonicalname attribute on new principals
 created using IPA API

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 ipalib/plugins/baseuser.py |  3 ++-
 ipalib/plugins/host.py     |  4 +++-
 ipalib/plugins/service.py  | 16 ++++++++++++++++
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/baseuser.py b/ipalib/plugins/baseuser.py
index ed7c1a9d360a89ce0640dd63e748596993bb8b6c..ed880441b0f2bb768f957a7a31590b6b4d58cfc1 100644
--- a/ipalib/plugins/baseuser.py
+++ b/ipalib/plugins/baseuser.py
@@ -29,7 +29,7 @@ from ipalib import Flag, Int, Password, Str, Bool, StrEnum, DateTime, Bytes
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import DN, LDAPObject, \
     LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete, LDAPRetrieve
-from ipalib.plugins.service import validate_certificate
+from ipalib.plugins.service import validate_certificate, set_krbcanonicalname
 from ipalib.plugins import baseldap
 from ipalib.request import context
 from ipalib import _, ngettext
@@ -483,6 +483,7 @@ class baseuser_add(LDAPCreate):
     """
     def pre_common_callback(self, ldap, dn, entry_attrs, **options):
         assert isinstance(dn, DN)
+        set_krbcanonicalname(entry_attrs)
         self.obj.convert_usercertificate_pre(entry_attrs)
 
     def post_common_callback(self, ldap, dn, entry_attrs, **options):
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 532ff66607911cfd8e1a3407b0f361641bb7992b..bf363017d4c42c058c9bc9f1dd1997d75591e3fb 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -33,7 +33,8 @@ from ipalib.plugins.baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
 from ipalib.plugins.service import (split_principal, validate_certificate,
     set_certificate_attrs, ticket_flags_params, update_krbticketflags,
     set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
-    rename_ipaallowedtoperform_to_ldap, revoke_certs)
+    rename_ipaallowedtoperform_to_ldap, revoke_certs,
+    set_krbcanonicalname)
 from ipalib.plugins.dns import (dns_container_exists, _record_types,
         add_records_for_host_validation, add_records_for_host,
         get_reverse_zone)
@@ -633,6 +634,7 @@ class host_add(LDAPCreate):
                 entry_attrs['objectclass'].append('krbprincipalaux')
             if 'krbprincipal' not in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].append('krbprincipal')
+            set_krbcanonicalname(entry_attrs)
         else:
             if 'krbprincipalaux' in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].remove('krbprincipalaux')
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 0e188dad4a215a6882cf2a458e0bd1de80f4c58a..74e0f0dc716534b7fd2eb476cff1d1e0f3ba0f1d 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -361,6 +361,19 @@ def set_kerberos_attrs(entry_attrs, options):
         if name in options or all_opt:
             entry_attrs[name] = bool(ticket_flags & value)
 
+
+def set_krbcanonicalname(entry_attrs):
+    objectclasses = set(entry_attrs.get('objectclass', []))
+
+    if 'krbprincipalaux' not in objectclasses:
+        return
+
+    krbprincipalnames = entry_attrs.get('krbprincipalname', [])
+
+    if isinstance(krbprincipalnames, unicode):
+        entry_attrs['krbcanonicalname'] = krbprincipalnames
+
+
 def rename_ipaallowedtoperform_from_ldap(entry_attrs, options):
     if options.get('raw', False):
         return
@@ -554,6 +567,9 @@ class service_add(LDAPCreate):
         if not 'managedby' in entry_attrs:
             entry_attrs['managedby'] = hostresult['dn']
 
+        # set krbcanonicalname attribute to enable principal canonicalization
+        set_krbcanonicalname(entry_attrs)
+
         update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
 
         return dn
-- 
2.4.3

From 9eec3295ba402d2208e15850b1e4a8d17f784f44 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 17:49:51 +0200
Subject: [PATCH 6/8] ipa-enrollment: set krbCanonicalName attribute on
 enrolled host entry

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
index a3dcf08a6bc97932e0dfe815e45aee9ec8460a63..26cbb69d713767909fd62fb77e7defdd323ec7ac 100644
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
@@ -142,6 +142,7 @@ ipa_join(Slapi_PBlock *pb)
 
     int scope = LDAP_SCOPE_SUBTREE;
     char *principal = NULL;
+    char *princ_canonical = NULL;
     struct berval retbval;
 
     if (NULL == realm) {
@@ -271,6 +272,16 @@ ipa_join(Slapi_PBlock *pb)
     slapi_mods_add_string(smods, LDAP_MOD_ADD, "krbPrincipalName", principal);
     slapi_mods_add_string(smods, LDAP_MOD_ADD, "objectClass", "krbPrincipalAux");
 
+    /* check for krbCanonicalName attribute. If not present, set it to same
+     * value as krbPrincipalName*/
+    princ_canonical = slapi_entry_attr_get_charptr(targetEntry,
+                                                   "krbCanonicalName");
+
+    if (NULL == princ_canonical) {
+        slapi_mods_add_string(smods, LDAP_MOD_ADD, "krbCanonicalName",
+                              principal);
+    }
+
     pbtm = slapi_pblock_new();
     slapi_modify_internal_set_pb (pbtm, slapi_entry_get_dn_const(targetEntry),
         slapi_mods_get_ldapmods_byref(smods),
@@ -325,6 +336,10 @@ free_and_return:
 
     free(principal);
 
+    if (princ_canonical) {
+        free(princ_canonical);
+    }
+
     return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
 }
 
-- 
2.4.3

From 0d15ad3150a9aef80d82e4d006b011c158ead62f Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 17:47:28 +0200
Subject: [PATCH 5/8] ipa-kdb: set krbCanonicalName attribute when creating new
 principals

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 895df7ea5127344a040ec87308450e93a513fe2e..ea81cf3950fcef3a3fb3f48f24a17999f7f43f72 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1580,6 +1580,11 @@ static krb5_error_code ipadb_principal_to_mods(krb5_context kcontext,
     if (kerr) {
         goto done;
     }
+    kerr = ipadb_get_ldap_mod_str(imods, "krbCanonicalName",
+                                  principal, mod_op);
+    if (kerr) {
+        goto done;
+    }
 
     kerr = 0;
 
-- 
2.4.3

From b57534c114fad77796746ec4286877b01e75037f Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 17:43:30 +0200
Subject: [PATCH 4/8] do not set ipakrbprincipal/ipakrbprincipalalias when
 creating new service

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 ipalib/plugins/service.py | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 39285dd5df41486c89e3e8ddc318d7df7d18594e..0e188dad4a215a6882cf2a458e0bd1de80f4c58a 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -554,15 +554,6 @@ class service_add(LDAPCreate):
         if not 'managedby' in entry_attrs:
             entry_attrs['managedby'] = hostresult['dn']
 
-        # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches
-        # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
-        # schema
-        entry_attrs['ipakrbprincipalalias'] = keys[-1]
-
-        # Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in
-        # in a list of default objectclasses, add it manually
-        entry_attrs['objectclass'].append('ipakrbprincipal')
-
         update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
 
         return dn
-- 
2.4.3

From ca680d3bd89a72510317bdd71e26514d74aae57d Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 17:36:47 +0200
Subject: [PATCH 3/8] do not set ipakrbprincipal and ipakrbprinicipalalias on
 new prinicipals

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 6b53b6ececb756581e21724b2fb2b503a1ad6969..895df7ea5127344a040ec87308450e93a513fe2e 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -40,7 +40,6 @@
 static char *std_principal_attrs[] = {
     "krbPrincipalName",
     "krbCanonicalName",
-    "ipaKrbPrincipalAlias",
     "krbUPEnabled",
     "krbPrincipalKey",
     "krbTicketPolicyReference",
@@ -88,7 +87,6 @@ static char *std_principal_obj_classes[] = {
     "krbprincipal",
     "krbprincipalaux",
     "krbTicketPolicyAux",
-    "ipakrbprincipal",
 
     NULL
 };
@@ -1582,11 +1580,6 @@ static krb5_error_code ipadb_principal_to_mods(krb5_context kcontext,
     if (kerr) {
         goto done;
     }
-    kerr = ipadb_get_ldap_mod_str(imods, "ipaKrbPrincipalAlias",
-                                  principal, mod_op);
-    if (kerr) {
-        goto done;
-    }
 
     kerr = 0;
 
-- 
2.4.3

From bbfc9d9f6290721cbbbfcdc817aee4542cb501c6 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 16:51:23 +0200
Subject: [PATCH 2/8] mark 'ipaKrbPrincipalAlias' attribute as deprecated in
 schema

part of https://fedorahosted.org/freeipa/ticket/3864
---
 install/share/61kerberos-ipav3.ldif | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/share/61kerberos-ipav3.ldif b/install/share/61kerberos-ipav3.ldif
index dcdaa5d08b66474ed0dec3db32682137bf56c0b8..c81ce51dfe5ffbdb60797d667c5960c7eef96ce7 100644
--- a/install/share/61kerberos-ipav3.ldif
+++ b/install/share/61kerberos-ipav3.ldif
@@ -1,3 +1,3 @@
 dn: cn=schema
-attributeTypes: (2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DESC 'IPA principal alias' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
+attributeTypes: (2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DESC 'DEPRECATED - DO NOT USE' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
 objectClasses: (2.16.840.1.113730.3.8.12.8 NAME 'ipaKrbPrincipal' SUP krbPrincipalAux AUXILIARY MUST ( krbPrincipalName $ ipaKrbPrincipalAlias ) X-ORIGIN 'IPA v3' )
-- 
2.4.3

From ebfc70ee96ed537062c9e767c1c82d263edecaf8 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 16:45:23 +0200
Subject: [PATCH 1/8] perform case-insensitive principal search when
 canonicalization is requested

When canonicalization is requested, the krbprincipalname attribute is searched
for case-insensitively.

In the case that krbcanonicalname is not set, the matched alias is returned
with the casing stored in backend, not the one input by client.

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index b3f8b1ad7784f55f55b4d6edd05f778a9389de27..6b53b6ececb756581e21724b2fb2b503a1ad6969 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -31,7 +31,7 @@
                                     "(objectclass=krbprincipal)" \
                                     "(objectclass=ipakrbprincipal))" \
                                     "(|(ipakrbprincipalalias=%s)" \
-                                      "(krbprincipalname=%s)))"
+                                      "(krbprincipalname:caseIgnoreIA5Match:=%s)))"
 
 #define PRINC_SEARCH_FILTER "(&(|(objectclass=krbprincipalaux)" \
                                 "(objectclass=krbprincipal))" \
@@ -865,6 +865,16 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
                 found = (strcmp(vals[i]->bv_val, (*principal)) == 0);
             }
             if (found) {
+                /* replace the incoming principal with the value got from LDAP
+                 * search. This is needed so that correctly case principal is
+                 * returned in the case when canonicalization is switched on
+                 * and no krbcanonicalname attribute is present in the entry.
+                 */
+                free(*principal);
+                *principal = strdup(vals[i]->bv_val);
+                if (!(*principal)) {
+                    return KRB5_KDB_INTERNAL_ERROR;
+                }
                 break;
             }
         }
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to