These patches implement the plumbing required to properly support canonicalization of Kerberos principals (
https://fedorahosted.org/freeipa/ticket/3864).

Setting multiple principal aliases on hosts/services is beyond the scope of this patchset and should be done after these patches are pushed.

I will try to send some tests for the patches later this week.

Please review the hell out of them.

--
Martin^3 Babinsky
From 4832fa024a3083f6cce3c151ab29ae99a696fcf1 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 2 Oct 2015 18:05:03 +0200
Subject: [PATCH 09/09] account for added krbcanonicalname attribute during
 xmlrpc tests

https://fedorahosted.org/freeipa/ticket/3864
---
 ipatests/test_xmlrpc/objectclasses.py         | 1 -
 ipatests/test_xmlrpc/test_host_plugin.py      | 4 +++-
 ipatests/test_xmlrpc/test_service_plugin.py   | 4 ++--
 ipatests/test_xmlrpc/test_stageuser_plugin.py | 5 ++++-
 ipatests/test_xmlrpc/test_user_plugin.py      | 7 +++++--
 5 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 1cd77c7f885fe408d0d9d48fc6d8284900c91b7f..206cb3689a97623f5144686b23a9a3f56c113560 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -100,7 +100,6 @@ service = [
     u'ipaobject',
     u'ipaservice',
     u'pkiuser',
-    u'ipakrbprincipal',
     u'top',
 ]
 
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index bba86492e98d098d4c0bbd42de58e96b9b570e1d..efd9403f0028a7ae45261cabcb4f490b94d7db66 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -122,7 +122,8 @@ class HostTracker(Tracker):
         'ipaallowedtoperform_write_keys_hostgroup'}
     retrieve_all_keys = retrieve_keys | {
         u'cn', u'ipakrbokasdelegate', u'ipakrbrequirespreauth', u'ipauniqueid',
-        u'managing_host', u'objectclass', u'serverhostname'}
+        u'managing_host', u'objectclass', u'serverhostname',
+        u'krbcanonicalname'}
     create_keys = retrieve_keys | {'objectclass', 'ipauniqueid',
                                    'randompassword'}
     update_keys = retrieve_keys - {'dn'}
@@ -178,6 +179,7 @@ class HostTracker(Tracker):
             description=[self.description],
             l=[self.location],
             krbprincipalname=[u'host/%s@%s' % (self.fqdn, self.api.env.realm)],
+            krbcanonicalname=[u'host/%s@%s' % (self.fqdn, self.api.env.realm)],
             objectclass=objectclasses.host,
             ipauniqueid=[fuzzy_uuid],
             managedby_host=[self.fqdn],
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index 78ba60a691a625d3fdce2ea0df0f2aef9ef3caac..6c399ed62b9ec52000ab155fbcd5a387c6135fc2 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -236,7 +236,7 @@ class test_service(Declarative):
                 result=dict(
                     dn=service1dn,
                     krbprincipalname=[service1],
-                    ipakrbprincipalalias=[service1],
+                    krbcanonicalname=[service1],
                     objectclass=objectclasses.service,
                     ipauniqueid=[fuzzy_uuid],
                     managedby_host=[fqdn1],
@@ -278,7 +278,7 @@ class test_service(Declarative):
                     dict(
                         dn=service1dn,
                         krbprincipalname=[service1],
-                        ipakrbprincipalalias=[service1],
+                        krbcanonicalname=[service1],
                         objectclass=objectclasses.service,
                         ipauniqueid=[fuzzy_uuid],
                         has_keytab=False,
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
index b09ef6e84cd95a32061b07d833c5a39f1750f80b..d19bbdf450085b55a02b68ac5ebbb091ae7dc227 100644
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
@@ -103,7 +103,8 @@ class StageUserTracker(Tracker):
         u'st', u'mobile', u'pager', }
     retrieve_all_keys = retrieve_keys | {
         u'cn', u'ipauniqueid', u'objectclass', u'description',
-        u'displayname', u'gecos', u'initials', u'krbprincipalname', u'manager'}
+        u'displayname', u'gecos', u'initials', u'krbprincipalname',
+        u'krbcanonicalname', u'manager'}
 
     create_keys = retrieve_all_keys | {
         u'objectclass', u'ipauniqueid', u'randompassword',
@@ -170,6 +171,7 @@ class StageUserTracker(Tracker):
             uidnumber=[u'-1'],
             gidnumber=[u'-1'],
             krbprincipalname=[u'%s@%s' % (self.uid, self.api.env.realm)],
+            krbcanonicalname=[u'%s@%s' % (self.uid, self.api.env.realm)],
             mail=[u'%s@%s' % (self.uid, self.api.env.domain)],
             gecos=[u'%s %s' % (self.givenname, self.sn)],
             loginshell=[u'/bin/sh'],
@@ -183,6 +185,7 @@ class StageUserTracker(Tracker):
                 self.attrs[key] = [u'%s@%s' % (
                     (self.kwargs[key].split('@'))[0].lower(),
                     (self.kwargs[key].split('@'))[1])]
+                self.attrs[u'krbcanonicalname'] = self.attrs[key]
             elif key == u'manager':
                 self.attrs[key] = [unicode(get_user_dn(self.kwargs[key]))]
             elif key == u'ipasshpubkey':
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index b4355261f45087631b2509c70f4408a40e541922..c3d61b75aa8f893381564e8b83bc4c66ec8cc8cf 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -126,6 +126,7 @@ def get_user_result(uid, givenname, sn, operation='show', omit=[],
             mepmanagedentry=[get_group_dn(uid)],
             objectclass=add_oc(objectclasses.user, u'ipantuserattrs'),
             krbprincipalname=[u'%s@%s' % (uid, api.env.realm)],
+            krbcanonicalname=[u'%s@%s' % (uid, api.env.realm)]
         )
     if operation in ('show', 'show-all', 'find', 'mod'):
         result.update(
@@ -1666,7 +1667,8 @@ class UserTracker(Tracker):
 
     retrieve_all_keys = retrieve_keys | {
         u'cn', u'ipauniqueid', u'objectclass', u'mepmanagedentry',
-        u'displayname', u'gecos', u'initials', u'krbprincipalname', u'manager'}
+        u'displayname', u'gecos', u'initials', u'krbprincipalname',
+        u'krbcanonicalname', u'manager'}
 
     retrieve_preserved_keys = retrieve_keys - {u'memberof_group'}
     retrieve_preserved_all_keys = retrieve_all_keys - {u'memberof_group'}
@@ -1740,7 +1742,7 @@ class UserTracker(Tracker):
         return self.make_command('user_enable', self.uid)
 
     def make_stage_command(self):
-	""" Make function that restores preserved user by moving it to
+        """ Make function that restores preserved user by moving it to
             staged container """
         return self.make_command('user_stage', self.uid)
 
@@ -1761,6 +1763,7 @@ class UserTracker(Tracker):
             uidnumber=[fuzzy_digits],
             gidnumber=[fuzzy_digits],
             krbprincipalname=[u'%s@%s' % (self.uid, self.api.env.realm)],
+            krbcanonicalname=[u'%s@%s' % (self.uid, self.api.env.realm)],
             mail=[u'%s@%s' % (self.uid, self.api.env.domain)],
             gecos=[u'%s %s' % (self.givenname, self.sn)],
             loginshell=[u'/bin/sh'],
-- 
2.4.3

From b1a300fc873b7fe7e5681d69fbf3c4c39fb85c02 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 9 Sep 2015 14:09:43 +0200
Subject: [PATCH 08/09] set krbcanonicalname on host entry during krbinstance
 configuration

part of https://fedorahosted.org/freeipa/ticket/3864
---
 ipaserver/install/krbinstance.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 864615d96648e4431d508c7b35a43e5298be4f9d..391fbc74c3564925d936f76d1e81454712dbb61f 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -103,6 +103,7 @@ class KrbInstance(service.Service):
             krbextradata=service_entry['krbextradata'],
             krblastpwdchange=service_entry['krblastpwdchange'],
             krbprincipalname=service_entry['krbprincipalname'],
+            krbcanonicalname=service_entry['krbcanonicalname'],
             krbprincipalkey=service_entry['krbprincipalkey'],
             serverhostname=[self.fqdn.split('.',1)[0]],
             cn=[self.fqdn],
-- 
2.4.3

From 0b01506cb310d631a7089d73c9d8f1bd62bf2e20 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 17:43:30 +0200
Subject: [PATCH 07/09] IPA API: set krbcanonicalname instead of
 ipakrbprincipalalias on new entities

Hosts, services, and (stage)-users will now have krbcanonicalname attribute
set to the same value as krbprincipalname on creation. Moreover, new services
will not have ipakrbprincipalalias set anymore.

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 ipalib/plugins/baseuser.py  |  3 ++-
 ipalib/plugins/host.py      |  4 +++-
 ipalib/plugins/service.py   | 22 ++++++++++++++--------
 ipalib/plugins/stageuser.py |  7 +++++++
 4 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/ipalib/plugins/baseuser.py b/ipalib/plugins/baseuser.py
index b974e3fb18659e7eb6e75557e0d4db3ec1197dcd..1e7aa6de28b7ff1c7ae3116466c32ad50531b313 100644
--- a/ipalib/plugins/baseuser.py
+++ b/ipalib/plugins/baseuser.py
@@ -29,7 +29,7 @@ from ipalib import Flag, Int, Password, Str, Bool, StrEnum, DateTime, Bytes
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import DN, LDAPObject, \
     LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete, LDAPRetrieve
-from ipalib.plugins.service import validate_certificate
+from ipalib.plugins.service import validate_certificate, set_krbcanonicalname
 from ipalib.plugins import baseldap
 from ipalib.request import context
 from ipalib import _, ngettext
@@ -486,6 +486,7 @@ class baseuser_add(LDAPCreate):
     """
     def pre_common_callback(self, ldap, dn, entry_attrs, **options):
         assert isinstance(dn, DN)
+        set_krbcanonicalname(entry_attrs)
         self.obj.convert_usercertificate_pre(entry_attrs)
 
     def post_common_callback(self, ldap, dn, entry_attrs, **options):
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index bceab314b8acb496e885a889311e026cabfb2a47..fa7949a96c3a64589e49a1e31567c454eee70f39 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -35,7 +35,8 @@ from ipalib.plugins.baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
 from ipalib.plugins.service import (split_principal, validate_certificate,
     set_certificate_attrs, ticket_flags_params, update_krbticketflags,
     set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
-    rename_ipaallowedtoperform_to_ldap, revoke_certs)
+    rename_ipaallowedtoperform_to_ldap, revoke_certs,
+    set_krbcanonicalname)
 from ipalib.plugins.dns import (dns_container_exists, _record_types,
         add_records_for_host_validation, add_records_for_host,
         get_reverse_zone)
@@ -638,6 +639,7 @@ class host_add(LDAPCreate):
                 entry_attrs['objectclass'].append('krbprincipalaux')
             if 'krbprincipal' not in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].append('krbprincipal')
+            set_krbcanonicalname(entry_attrs)
         else:
             if 'krbprincipalaux' in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].remove('krbprincipalaux')
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index d63e00bea0dd9a69fd550916337a8cc1a88a93fb..38f13c0abd50b0db99f5951a95a71d8b73fbff00 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -365,6 +365,18 @@ def set_kerberos_attrs(entry_attrs, options):
         if name in options or all_opt:
             entry_attrs[name] = bool(ticket_flags & value)
 
+
+def set_krbcanonicalname(entry_attrs):
+    objectclasses = set(i.lower() for i in entry_attrs['objectclass'])
+
+    if 'krbprincipalaux' not in objectclasses:
+        return
+
+    if ('krbprincipalname' in entry_attrs
+            and 'krbcanonicalname' not in entry_attrs):
+        entry_attrs['krbcanonicalname'] = entry_attrs['krbprincipalname']
+
+
 def rename_ipaallowedtoperform_from_ldap(entry_attrs, options):
     if options.get('raw', False):
         return
@@ -558,14 +570,8 @@ class service_add(LDAPCreate):
         if not 'managedby' in entry_attrs:
             entry_attrs['managedby'] = hostresult['dn']
 
-        # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches
-        # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
-        # schema
-        entry_attrs['ipakrbprincipalalias'] = keys[-1]
-
-        # Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in
-        # in a list of default objectclasses, add it manually
-        entry_attrs['objectclass'].append('ipakrbprincipal')
+        # set krbcanonicalname attribute to enable principal canonicalization
+        set_krbcanonicalname(entry_attrs)
 
         update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
 
diff --git a/ipalib/plugins/stageuser.py b/ipalib/plugins/stageuser.py
index 00fba1f8329e638a304e3f70d10b89aaf38aaebc..c662fc669508f203732331056e6749c69c569859 100644
--- a/ipalib/plugins/stageuser.py
+++ b/ipalib/plugins/stageuser.py
@@ -36,6 +36,7 @@ from ipalib.plugins.baseuser import baseuser, baseuser_add, baseuser_del, \
     NO_UPG_MAGIC, radius_dn2pk, \
     baseuser_pwdchars, fix_addressbook_permission_bindrule, normalize_principal, validate_principal, \
     baseuser_output_params, status_baseuser_output_params
+from ipalib.plugins.service import set_krbcanonicalname
 
 from ipalib.request import context
 from ipalib import _, ngettext
@@ -371,6 +372,8 @@ class stageuser_add(baseuser_add):
                 answer = self.api.Object['radiusproxy'].get_dn_if_exists(cl)
                 entry_attrs['ipatokenradiusconfiglink'] = answer
 
+        self.pre_common_callback(ldap, dn, entry_attrs, **options)
+
         return dn
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -392,6 +395,8 @@ class stageuser_add(baseuser_add):
         self.obj.get_password_attributes(ldap, dn, entry_attrs)
         convert_sshpubkey_post(ldap, dn, entry_attrs)
         radius_dn2pk(self.api, entry_attrs)
+
+        self.post_common_callback(ldap, dn, entry_attrs, **options)
         return dn
 
 @register()
@@ -518,6 +523,8 @@ class stageuser_activate(LDAPQuery):
         if 'krbprincipalname' not in entry_from:
             entry_to['krbprincipalname'] = '%s@%s' % (entry_from['uid'][0], api.env.realm)
 
+        set_krbcanonicalname(entry_to)
+
     def __dict_new_entry(self, *args, **options):
         ldap = self.obj.backend
 
-- 
2.4.3

From fe457882325f7dd702fdd679e83ee961c908f066 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 17:49:51 +0200
Subject: [PATCH 06/09] ipa-enrollment: set krbCanonicalName attribute on
 enrolled host entry

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
index a3dcf08a6bc97932e0dfe815e45aee9ec8460a63..26cbb69d713767909fd62fb77e7defdd323ec7ac 100644
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
@@ -142,6 +142,7 @@ ipa_join(Slapi_PBlock *pb)
 
     int scope = LDAP_SCOPE_SUBTREE;
     char *principal = NULL;
+    char *princ_canonical = NULL;
     struct berval retbval;
 
     if (NULL == realm) {
@@ -271,6 +272,16 @@ ipa_join(Slapi_PBlock *pb)
     slapi_mods_add_string(smods, LDAP_MOD_ADD, "krbPrincipalName", principal);
     slapi_mods_add_string(smods, LDAP_MOD_ADD, "objectClass", "krbPrincipalAux");
 
+    /* check for krbCanonicalName attribute. If not present, set it to same
+     * value as krbPrincipalName*/
+    princ_canonical = slapi_entry_attr_get_charptr(targetEntry,
+                                                   "krbCanonicalName");
+
+    if (NULL == princ_canonical) {
+        slapi_mods_add_string(smods, LDAP_MOD_ADD, "krbCanonicalName",
+                              principal);
+    }
+
     pbtm = slapi_pblock_new();
     slapi_modify_internal_set_pb (pbtm, slapi_entry_get_dn_const(targetEntry),
         slapi_mods_get_ldapmods_byref(smods),
@@ -325,6 +336,10 @@ free_and_return:
 
     free(principal);
 
+    if (princ_canonical) {
+        free(princ_canonical);
+    }
+
     return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
 }
 
-- 
2.4.3

From 94446f34e8788a84939b2610b9c1a58e40080ea3 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 17:36:47 +0200
Subject: [PATCH 05/09] ipa-kdb: set krbCanonicalName when creating new
 principals

Additionally, stop setting ipakrbprincipalalias attribute during principal
creation.

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 771c49e329582ff5eb54d1b1c1142caa69ade4ae..b7cb51c4df41aaa599b1b753bdb92112a8d21dfa 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -40,7 +40,6 @@
 static char *std_principal_attrs[] = {
     "krbPrincipalName",
     "krbCanonicalName",
-    "ipaKrbPrincipalAlias",
     "krbUPEnabled",
     "krbPrincipalKey",
     "krbTicketPolicyReference",
@@ -88,7 +87,6 @@ static char *std_principal_obj_classes[] = {
     "krbprincipal",
     "krbprincipalaux",
     "krbTicketPolicyAux",
-    "ipakrbprincipal",
 
     NULL
 };
@@ -1583,7 +1581,7 @@ static krb5_error_code ipadb_principal_to_mods(krb5_context kcontext,
     if (kerr) {
         goto done;
     }
-    kerr = ipadb_get_ldap_mod_str(imods, "ipaKrbPrincipalAlias",
+    kerr = ipadb_get_ldap_mod_str(imods, "krbCanonicalName",
                                   principal, mod_op);
     if (kerr) {
         goto done;
-- 
2.4.3

From 0dcd6af259c623806b20bf355fe7d87fa5a877ec Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 15 Sep 2015 12:22:55 +0200
Subject: [PATCH 04/09] add krbCanonicalName to attributes watched by MODRDN
 plugin

https://fedorahosted.org/freeipa/ticket/3864
---
 install/share/modrdn-krbprinc.ldif | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/install/share/modrdn-krbprinc.ldif b/install/share/modrdn-krbprinc.ldif
index b35ea25f49b1bbe853d81a574f02c8cd66c4addc..562a8106cf47daae7d141e8d460b5780f3ede4d2 100644
--- a/install/share/modrdn-krbprinc.ldif
+++ b/install/share/modrdn-krbprinc.ldif
@@ -9,3 +9,14 @@ ipaModRDNtargetAttr: krbPrincipalName
 ipaModRDNsuffix: @$REALM
 ipaModRDNfilter: (&(objectclass=posixaccount)(objectclass=krbPrincipalAux))
 ipaModRDNscope: $SUFFIX
+
+dn: cn=Kerberos Canonical Name,cn=IPA MODRDN,cn=plugins,cn=config
+changetype: add
+objectclass: top
+objectclass: extensibleObject
+cn: Kerberos Canonical Name
+ipaModRDNsourceAttr: uid
+ipaModRDNtargetAttr: krbCanonicalName
+ipaModRDNsuffix: @$REALM
+ipaModRDNfilter: (&(objectclass=posixaccount)(objectclass=krbPrincipalAux))
+ipaModRDNscope: $SUFFIX
-- 
2.4.3

From 6ae96bcbcb25f094641db7547c367ef3bac2fce4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 18:01:57 +0200
Subject: [PATCH 03/09] add case-insensitive matching rule to krbprincipalname
 index

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 install/share/indices.ldif        |  2 ++
 install/updates/20-indices.update | 10 ++++++++++
 2 files changed, 12 insertions(+)

diff --git a/install/share/indices.ldif b/install/share/indices.ldif
index 8c4913b569eb8be740090e1665349608be4ae932..e399c6ef259b4541b661a1d4bedf751631efa8ea 100644
--- a/install/share/indices.ldif
+++ b/install/share/indices.ldif
@@ -6,6 +6,8 @@ cn:krbPrincipalName
 nsSystemIndex:false
 nsIndexType:eq
 nsIndexType:sub
+nsMatchingRule:caseIgnoreIA5Match
+nsMatchingRule:caseExactIA5Match
 
 dn: cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index 9c12e0cb804066feaa7e9e3f93a06018a8d43ddd..f39310a304d37614526a425e43751bc492fa7c67 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -231,3 +231,13 @@ default:ObjectClass: top
 default:ObjectClass: nsIndex
 only:nsIndexType: eq
 only:nsIndexType: pres
+
+dn: cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: krbPrincipalName
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+default:nsSystemIndex: false
+only: nsMatchingRule: caseIgnoreIA5Match
+only: nsMatchingRule: caseExactIA5Match
+only:nsIndexType: eq
+only:nsIndexType: sub
-- 
2.4.3

From 2c750702c3af6705f3c4d920c34456c0edca0317 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 16:51:23 +0200
Subject: [PATCH 02/09] mark 'ipaKrbPrincipalAlias' attribute as deprecated in
 schema

part of https://fedorahosted.org/freeipa/ticket/3864
---
 install/share/61kerberos-ipav3.ldif | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/share/61kerberos-ipav3.ldif b/install/share/61kerberos-ipav3.ldif
index dcdaa5d08b66474ed0dec3db32682137bf56c0b8..c81ce51dfe5ffbdb60797d667c5960c7eef96ce7 100644
--- a/install/share/61kerberos-ipav3.ldif
+++ b/install/share/61kerberos-ipav3.ldif
@@ -1,3 +1,3 @@
 dn: cn=schema
-attributeTypes: (2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DESC 'IPA principal alias' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
+attributeTypes: (2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DESC 'DEPRECATED - DO NOT USE' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
 objectClasses: (2.16.840.1.113730.3.8.12.8 NAME 'ipaKrbPrincipal' SUP krbPrincipalAux AUXILIARY MUST ( krbPrincipalName $ ipaKrbPrincipalAlias ) X-ORIGIN 'IPA v3' )
-- 
2.4.3

From 7d9b2d452d94749e13bea94307e3b1a029a617e1 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 16:45:23 +0200
Subject: [PATCH 01/09] perform case-insensitive principal search when
 canonicalization is requested

When canonicalization is requested, the krbprincipalname attribute is searched
for case-insensitively.

In the case that krbcanonicalname is not set, the matched alias is returned
with the casing stored in backend, not the one input by client.

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index b3f8b1ad7784f55f55b4d6edd05f778a9389de27..771c49e329582ff5eb54d1b1c1142caa69ade4ae 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -31,7 +31,7 @@
                                     "(objectclass=krbprincipal)" \
                                     "(objectclass=ipakrbprincipal))" \
                                     "(|(ipakrbprincipalalias=%s)" \
-                                      "(krbprincipalname=%s)))"
+                                      "(krbprincipalname:caseIgnoreIA5Match:=%s)))"
 
 #define PRINC_SEARCH_FILTER "(&(|(objectclass=krbprincipalaux)" \
                                 "(objectclass=krbprincipal))" \
@@ -861,6 +861,17 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
                                 NULL, NULL, &result) != 0)
                     return KRB5_KDB_INTERNAL_ERROR;
                 found = (result == 0);
+                if (found) {
+                    /* replace the incoming principal with the value having
+                     * the correct case. This ensures that valid name/alias
+                     * is returned even if krbCanonicalName is not present
+                     */
+                    free(*principal);
+                    *principal = strdup(vals[i]->bv_val);
+                    if (!(*principal)) {
+                        return KRB5_KDB_INTERNAL_ERROR;
+                    }
+                }
             } else {
                 found = (strcmp(vals[i]->bv_val, (*principal)) == 0);
             }
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to