On 09/09/15 15:59, Simo Sorce wrote:
On Wed, 2015-09-09 at 10:52 +0200, Martin Babinsky wrote:
              if (found) {
+                /* replace the incoming principal with the value got
from LDAP
+                 * search. This is needed so that correctly case
principal is
+                 * returned in the case when canonicalization is
switched on
+                 * and no krbcanonicalname attribute is present in
the entry.
+                 */
+                free(*principal);
+                *principal = strdup(vals[i]->bv_val);
+                if (!(*principal)) {
+                    return KRB5_KDB_INTERNAL_ERROR;
+                }
                  break;



This unconditionally replaces the principal even when canonicalization
is not requested. Shouldn't this replace be conditional on
KRB5_KDB_FLAGS_ALIAS_OK being set ?

Simo.


It's not obvious from first look but it actually depends on the KRB5_KDB_FLAGS_ALIAS_OK. When KRB5_KDB_FLAGS_ALIAS_OK is true the 'found' variable is the result of case-insensitive comparison.
When it's false 'found' variable is the result of case-sensitive comparison.
In case of case-sensitive match we're replacing the principal with the exactly same value though effectively not changing it.

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to