On 10/05/2015 03:00 PM, Martin Babinsky wrote:
These patches implement the plumbing required to properly support
canonicalization of Kerberos principals (
https://fedorahosted.org/freeipa/ticket/3864).

Setting multiple principal aliases on hosts/services is beyond the scope
of this patchset and should be done after these patches are pushed.

I will try to send some tests for the patches later this week.

Please review the hell out of them.




Long time no see.

I am attaching rebased infrastructure patches which were reviewed and tested by David a year ago :). Now that all related DS bugs were fixed and the patches still work as expected, we may push them so that the plumbing for further work (API for alias handling etc.) is in place.

--
Martin^3 Babinsky
From 1e506e7aa72612f22aadca3894506e324b761596 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 16:45:23 +0200
Subject: [PATCH 01/12] perform case-insensitive principal search when
 canonicalization is requested

When canonicalization is requested, the krbprincipalname attribute is searched
for case-insensitively.

In the case that krbcanonicalname is not set, the matched alias is returned
with the casing stored in backend, not the one input by client.

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index d4adf27f2de7c7ccd050063e779a30fdae35bc83..34807240213efb86fe8bb9fb7c0cc720bed31077 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -31,7 +31,7 @@
                                     "(objectclass=krbprincipal)" \
                                     "(objectclass=ipakrbprincipal))" \
                                     "(|(ipakrbprincipalalias=%s)" \
-                                      "(krbprincipalname=%s)))"
+                                      "(krbprincipalname:caseIgnoreIA5Match:=%s)))"
 
 #define PRINC_SEARCH_FILTER "(&(|(objectclass=krbprincipalaux)" \
                                 "(objectclass=krbprincipal))" \
@@ -959,6 +959,17 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
                                 NULL, NULL, &result) != 0)
                     return KRB5_KDB_INTERNAL_ERROR;
                 found = (result == 0);
+                if (found) {
+                    /* replace the incoming principal with the value having
+                     * the correct case. This ensures that valid name/alias
+                     * is returned even if krbCanonicalName is not present
+                     */
+                    free(*principal);
+                    *principal = strdup(vals[i]->bv_val);
+                    if (!(*principal)) {
+                        return KRB5_KDB_INTERNAL_ERROR;
+                    }
+                }
             } else {
                 found = (strcmp(vals[i]->bv_val, (*principal)) == 0);
             }
-- 
2.5.5

From 5d0bb8247111cb31e1ca79099a6b614d13d9766b Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 16:51:23 +0200
Subject: [PATCH 02/12] mark 'ipaKrbPrincipalAlias' attribute as deprecated in
 schema

part of https://fedorahosted.org/freeipa/ticket/3864
---
 install/share/61kerberos-ipav3.ldif | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/share/61kerberos-ipav3.ldif b/install/share/61kerberos-ipav3.ldif
index dcdaa5d08b66474ed0dec3db32682137bf56c0b8..c81ce51dfe5ffbdb60797d667c5960c7eef96ce7 100644
--- a/install/share/61kerberos-ipav3.ldif
+++ b/install/share/61kerberos-ipav3.ldif
@@ -1,3 +1,3 @@
 dn: cn=schema
-attributeTypes: (2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DESC 'IPA principal alias' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
+attributeTypes: (2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DESC 'DEPRECATED - DO NOT USE' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
 objectClasses: (2.16.840.1.113730.3.8.12.8 NAME 'ipaKrbPrincipal' SUP krbPrincipalAux AUXILIARY MUST ( krbPrincipalName $ ipaKrbPrincipalAlias ) X-ORIGIN 'IPA v3' )
-- 
2.5.5

From 2597fa5e013c4cf292c1cf33203199559dd9e939 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 18:01:57 +0200
Subject: [PATCH 03/12] add case-insensitive matching rule to krbprincipalname
 index

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 install/share/indices.ldif        |  2 ++
 install/updates/20-indices.update | 10 ++++++++++
 2 files changed, 12 insertions(+)

diff --git a/install/share/indices.ldif b/install/share/indices.ldif
index 4ea4a876ded5fdf3972924d8a86e4fec3ae5ed92..642c2f7aee78b684b3e451c2595e4f18950e449e 100644
--- a/install/share/indices.ldif
+++ b/install/share/indices.ldif
@@ -6,6 +6,8 @@ cn:krbPrincipalName
 nsSystemIndex:false
 nsIndexType:eq
 nsIndexType:sub
+nsMatchingRule:caseIgnoreIA5Match
+nsMatchingRule:caseExactIA5Match
 
 dn: cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index fe0845e989f7a1b1343190337d76240446a9d3c9..b05dc6ff8d98469e9cf0025679755c6679225516 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -239,3 +239,13 @@ default:ObjectClass: nsIndex
 default:nsSystemIndex: false
 only:nsIndexType: eq
 only:nsIndexType: pres
+
+dn: cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: krbPrincipalName
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+default:nsSystemIndex: false
+only: nsMatchingRule: caseIgnoreIA5Match
+only: nsMatchingRule: caseExactIA5Match
+only:nsIndexType: eq
+only:nsIndexType: sub
-- 
2.5.5

From f75a33576e1e681ad1dc49ff89760cb223aa609c Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 15 Sep 2015 12:22:55 +0200
Subject: [PATCH 04/12] add krbCanonicalName to attributes watched by MODRDN
 plugin

https://fedorahosted.org/freeipa/ticket/3864
---
 install/share/modrdn-krbprinc.ldif | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/install/share/modrdn-krbprinc.ldif b/install/share/modrdn-krbprinc.ldif
index b35ea25f49b1bbe853d81a574f02c8cd66c4addc..562a8106cf47daae7d141e8d460b5780f3ede4d2 100644
--- a/install/share/modrdn-krbprinc.ldif
+++ b/install/share/modrdn-krbprinc.ldif
@@ -9,3 +9,14 @@ ipaModRDNtargetAttr: krbPrincipalName
 ipaModRDNsuffix: @$REALM
 ipaModRDNfilter: (&(objectclass=posixaccount)(objectclass=krbPrincipalAux))
 ipaModRDNscope: $SUFFIX
+
+dn: cn=Kerberos Canonical Name,cn=IPA MODRDN,cn=plugins,cn=config
+changetype: add
+objectclass: top
+objectclass: extensibleObject
+cn: Kerberos Canonical Name
+ipaModRDNsourceAttr: uid
+ipaModRDNtargetAttr: krbCanonicalName
+ipaModRDNsuffix: @$REALM
+ipaModRDNfilter: (&(objectclass=posixaccount)(objectclass=krbPrincipalAux))
+ipaModRDNscope: $SUFFIX
-- 
2.5.5

From fde1f163915bb1d7837bf3fdfe321a842aa1bb6c Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 17:36:47 +0200
Subject: [PATCH 05/12] ipa-kdb: set krbCanonicalName when creating new
 principals

Additionally, stop setting ipakrbprincipalalias attribute during principal
creation.

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 34807240213efb86fe8bb9fb7c0cc720bed31077..f1d3e9e89c2016b8a9ebad9c0c6fd46487a33a4b 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -40,7 +40,6 @@
 static char *std_principal_attrs[] = {
     "krbPrincipalName",
     "krbCanonicalName",
-    "ipaKrbPrincipalAlias",
     "krbUPEnabled",
     "krbPrincipalKey",
     "krbTicketPolicyReference",
@@ -89,7 +88,6 @@ static char *std_principal_obj_classes[] = {
     "krbprincipal",
     "krbprincipalaux",
     "krbTicketPolicyAux",
-    "ipakrbprincipal",
 
     NULL
 };
@@ -1755,7 +1753,7 @@ static krb5_error_code ipadb_principal_to_mods(krb5_context kcontext,
     if (kerr) {
         goto done;
     }
-    kerr = ipadb_get_ldap_mod_str(imods, "ipaKrbPrincipalAlias",
+    kerr = ipadb_get_ldap_mod_str(imods, "krbCanonicalName",
                                   principal, mod_op);
     if (kerr) {
         goto done;
-- 
2.5.5

From c3c3abb62c565df0f1aad72950b2334ed15d072f Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 17:49:51 +0200
Subject: [PATCH 06/12] ipa-enrollment: set krbCanonicalName attribute on
 enrolled host entry

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
index a3dcf08a6bc97932e0dfe815e45aee9ec8460a63..26cbb69d713767909fd62fb77e7defdd323ec7ac 100644
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
@@ -142,6 +142,7 @@ ipa_join(Slapi_PBlock *pb)
 
     int scope = LDAP_SCOPE_SUBTREE;
     char *principal = NULL;
+    char *princ_canonical = NULL;
     struct berval retbval;
 
     if (NULL == realm) {
@@ -271,6 +272,16 @@ ipa_join(Slapi_PBlock *pb)
     slapi_mods_add_string(smods, LDAP_MOD_ADD, "krbPrincipalName", principal);
     slapi_mods_add_string(smods, LDAP_MOD_ADD, "objectClass", "krbPrincipalAux");
 
+    /* check for krbCanonicalName attribute. If not present, set it to same
+     * value as krbPrincipalName*/
+    princ_canonical = slapi_entry_attr_get_charptr(targetEntry,
+                                                   "krbCanonicalName");
+
+    if (NULL == princ_canonical) {
+        slapi_mods_add_string(smods, LDAP_MOD_ADD, "krbCanonicalName",
+                              principal);
+    }
+
     pbtm = slapi_pblock_new();
     slapi_modify_internal_set_pb (pbtm, slapi_entry_get_dn_const(targetEntry),
         slapi_mods_get_ldapmods_byref(smods),
@@ -325,6 +336,10 @@ free_and_return:
 
     free(principal);
 
+    if (princ_canonical) {
+        free(princ_canonical);
+    }
+
     return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
 }
 
-- 
2.5.5

From 82188c94ff53abd4ee904fc844115b5dc982ddbd Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 8 Sep 2015 17:43:30 +0200
Subject: [PATCH 07/12] IPA API: set krbcanonicalname instead of
 ipakrbprincipalalias on new entities

Hosts, services, and (stage)-users will now have krbcanonicalname attribute
set to the same value as krbprincipalname on creation. Moreover, new services
will not have ipakrbprincipalalias set anymore.

Part of https://fedorahosted.org/freeipa/ticket/3864
---
 ipalib/util.py                 | 11 +++++++++++
 ipaserver/plugins/baseuser.py  |  2 ++
 ipaserver/plugins/host.py      |  2 ++
 ipaserver/plugins/service.py   | 10 ++--------
 ipaserver/plugins/stageuser.py |  3 +++
 5 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/ipalib/util.py b/ipalib/util.py
index 8435f7ab6e8fd66caacb1641a4ef5409382637c5..67865eb04e85ffaf34475f0324cc9cc0703cf45b 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -901,3 +901,14 @@ def validate_bind_forwarder(ugettext, forwarder):
             return _('%(port)s is not a valid port' % dict(port=port))
 
     return None
+
+
+def set_krbcanonicalname(entry_attrs):
+    objectclasses = set(i.lower() for i in entry_attrs['objectclass'])
+
+    if 'krbprincipalaux' not in objectclasses:
+        return
+
+    if ('krbprincipalname' in entry_attrs
+            and 'krbcanonicalname' not in entry_attrs):
+        entry_attrs['krbcanonicalname'] = entry_attrs['krbprincipalname']
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index bbea403d9782fcbe486af07215ad67ee83eb9b58..7bb2e8a6360a6d04eaf0390239eafa0763f9d57c 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -39,6 +39,7 @@ from ipalib.util import (
     remove_sshpubkey_from_output_post,
     remove_sshpubkey_from_output_list_post,
     add_sshpubkey_to_attrs_pre,
+    set_krbcanonicalname
 )
 
 if six.PY3:
@@ -497,6 +498,7 @@ class baseuser_add(LDAPCreate):
     def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
                             **options):
         assert isinstance(dn, DN)
+        set_krbcanonicalname(entry_attrs)
         self.obj.convert_usercertificate_pre(entry_attrs)
 
     def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 15805a3d2292dcf176ec52afdd3885563eea1210..8afb5eee6215a5d39ff20da0bf26bc1d5111af49 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -50,6 +50,7 @@ from ipalib.util import (normalize_sshpubkey, validate_sshpubkey_no_options,
     remove_sshpubkey_from_output_list_post,
     normalize_hostname,
     hostname_validator,
+    set_krbcanonicalname
 )
 from ipapython.ipautil import ipa_generate_password, CheckedIPAddress
 from ipapython.dnsutil import DNSName
@@ -632,6 +633,7 @@ class host_add(LDAPCreate):
                 entry_attrs['objectclass'].append('krbprincipalaux')
             if 'krbprincipal' not in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].append('krbprincipal')
+            set_krbcanonicalname(entry_attrs)
         else:
             if 'krbprincipalaux' in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].remove('krbprincipalaux')
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 7b8f2a7aa8711bc8bf6f2e42c5794c8cf358f252..ac6a0495d32f73d7e468500f4836aa24d68a0382 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -576,14 +576,8 @@ class service_add(LDAPCreate):
         if not 'managedby' in entry_attrs:
             entry_attrs['managedby'] = hostresult['dn']
 
-        # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches
-        # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
-        # schema
-        entry_attrs['ipakrbprincipalalias'] = keys[-1]
-
-        # Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in
-        # in a list of default objectclasses, add it manually
-        entry_attrs['objectclass'].append('ipakrbprincipal')
+        # set krbcanonicalname attribute to enable principal canonicalization
+        util.set_krbcanonicalname(entry_attrs)
 
         update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
 
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
index 86b1935f33f9fbe6354f7fbfc8b6bb1bdb7fe7b4..9d5d40453a4a741d1e9a23c6a8239972d2e39b86 100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -44,6 +44,7 @@ from .baseuser import (
     baseuser_add_manager,
     baseuser_remove_manager)
 from ipalib.request import context
+from ipalib.util import set_krbcanonicalname
 from ipalib import _, ngettext
 from ipalib import output
 from ipaplatform.paths import paths
@@ -532,6 +533,8 @@ class stageuser_activate(LDAPQuery):
         if 'krbprincipalname' not in entry_from:
             entry_to['krbprincipalname'] = '%s@%s' % (entry_from['uid'][0], api.env.realm)
 
+        set_krbcanonicalname(entry_to)
+
     def __dict_new_entry(self, *args, **options):
         ldap = self.obj.backend
 
-- 
2.5.5

From 0320a5ce4b9be04155b4d7e4c6a6bce91b67660a Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 9 Sep 2015 14:09:43 +0200
Subject: [PATCH 08/12] set krbcanonicalname on host entry during krbinstance
 configuration

part of https://fedorahosted.org/freeipa/ticket/3864
---
 ipaserver/install/krbinstance.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index f560a6ec4c2e4ce931cc1552976db5900a3fa5cd..d3b5d68341232895ce9394522404609fc9674f31 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -97,6 +97,7 @@ class KrbInstance(service.Service):
             krbextradata=service_entry['krbextradata'],
             krblastpwdchange=service_entry['krblastpwdchange'],
             krbprincipalname=service_entry['krbprincipalname'],
+            krbcanonicalname=service_entry['krbcanonicalname'],
             krbprincipalkey=service_entry['krbprincipalkey'],
             serverhostname=[self.fqdn.split('.',1)[0]],
             cn=[self.fqdn],
-- 
2.5.5

From 34a9d83a01a0842f7c57337fdc05e57e22865f65 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 2 Oct 2015 18:05:03 +0200
Subject: [PATCH 09/12] account for added krbcanonicalname attribute during
 xmlrpc tests

https://fedorahosted.org/freeipa/ticket/3864
---
 ipatests/test_xmlrpc/objectclasses.py            | 1 -
 ipatests/test_xmlrpc/test_host_plugin.py         | 1 +
 ipatests/test_xmlrpc/test_service_plugin.py      | 9 +++++++--
 ipatests/test_xmlrpc/test_user_plugin.py         | 1 +
 ipatests/test_xmlrpc/tracker/host_plugin.py      | 4 +++-
 ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 5 ++++-
 ipatests/test_xmlrpc/tracker/user_plugin.py      | 5 +++--
 7 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 134a08803f3abca1124c4d26274d9e3fc981b941..7050de289760ede29d057e42658c2f68d8506249 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -100,7 +100,6 @@ service = [
     u'ipaobject',
     u'ipaservice',
     u'pkiuser',
-    u'ipakrbprincipal',
     u'top',
 ]
 
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index e6fc68a15cb9e7176979148462c469d1a737b040..4ddabefff14e61e8e2f33c0dbcb55f657330c438 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -357,6 +357,7 @@ class TestHostWithService(XMLRPC_test):
                 result=dict(
                     dn=service1dn,
                     krbprincipalname=[service1],
+                    krbcanonicalname=[service1],
                     objectclass=objectclasses.service,
                     managedby_host=[host.fqdn],
                     ipauniqueid=[fuzzy_uuid],
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index 0a38e3d653ed0b3083301b1ca9a5f252f9bbaa4b..3009521c3b2d9c496bff4e11b96838ce50a2eefa 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -193,6 +193,7 @@ class test_service(Declarative):
                 result=dict(
                     dn=service1dn,
                     krbprincipalname=[service1],
+                    krbcanonicalname=[service1],
                     objectclass=objectclasses.service,
                     ipauniqueid=[fuzzy_uuid],
                     managedby_host=[fqdn1],
@@ -238,7 +239,7 @@ class test_service(Declarative):
                 result=dict(
                     dn=service1dn,
                     krbprincipalname=[service1],
-                    ipakrbprincipalalias=[service1],
+                    krbcanonicalname=[service1],
                     objectclass=objectclasses.service,
                     ipauniqueid=[fuzzy_uuid],
                     managedby_host=[fqdn1],
@@ -261,6 +262,7 @@ class test_service(Declarative):
                     dict(
                         dn=service1dn,
                         krbprincipalname=[service1],
+                        krbcanonicalname=service1,
                         managedby_host=[fqdn1],
                         has_keytab=False,
                     ),
@@ -280,6 +282,7 @@ class test_service(Declarative):
                     dict(
                         dn=service1dn,
                         krbprincipalname=[service1],
+                        krbcanonicalname=service1,
                         has_keytab=False,
                     ),
                 ],
@@ -298,7 +301,7 @@ class test_service(Declarative):
                     dict(
                         dn=service1dn,
                         krbprincipalname=[service1],
-                        ipakrbprincipalalias=[service1],
+                        krbcanonicalname=service1,
                         objectclass=objectclasses.service,
                         ipauniqueid=[fuzzy_uuid],
                         has_keytab=False,
@@ -713,6 +716,7 @@ class test_service_in_role(Declarative):
                 result=dict(
                     dn=service1dn,
                     krbprincipalname=[service1],
+                    krbcanonicalname=[service1],
                     objectclass=objectclasses.service,
                     ipauniqueid=[fuzzy_uuid],
                     managedby_host=[fqdn1],
@@ -917,6 +921,7 @@ class test_service_allowed_to(Declarative):
                 result=dict(
                     dn=service1dn,
                     krbprincipalname=[service1],
+                    krbcanonicalname=[service1],
                     objectclass=objectclasses.service,
                     ipauniqueid=[fuzzy_uuid],
                     managedby_host=[fqdn1],
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index dbfdb4c083fafada48455c60ac0470443a1c9b90..6d58c53aa6041f5c23bf7e337432e242fe010536 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -976,6 +976,7 @@ def get_user_result(uid, givenname, sn, operation='show', omit=[],
             mepmanagedentry=[get_group_dn(uid)],
             objectclass=add_oc(objectclasses.user, u'ipantuserattrs'),
             krbprincipalname=[u'%s@%s' % (uid, api.env.realm)],
+            krbcanonicalname=[u'%s@%s' % (uid, api.env.realm)]
         )
     if operation in ('show', 'show-all', 'find', 'mod'):
         result.update(
diff --git a/ipatests/test_xmlrpc/tracker/host_plugin.py b/ipatests/test_xmlrpc/tracker/host_plugin.py
index d54901fa5f8e5d38619161826a3b5887f563b828..21088f22c963f1f001d4b04ac5d945bff0c0228a 100644
--- a/ipatests/test_xmlrpc/tracker/host_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/host_plugin.py
@@ -37,7 +37,8 @@ class HostTracker(Tracker):
         'ipaallowedtoperform_write_keys_hostgroup'}
     retrieve_all_keys = retrieve_keys | {
         u'cn', u'ipakrbokasdelegate', u'ipakrbrequirespreauth', u'ipauniqueid',
-        u'managing_host', u'objectclass', u'serverhostname'}
+        u'krbcanonicalname', u'managing_host', u'objectclass',
+        u'serverhostname'}
     create_keys = retrieve_keys | {'objectclass', 'ipauniqueid',
                                    'randompassword'}
     update_keys = retrieve_keys - {'dn'}
@@ -98,6 +99,7 @@ class HostTracker(Tracker):
             description=[self.description],
             l=[self.location],
             krbprincipalname=[u'host/%s@%s' % (self.fqdn, self.api.env.realm)],
+            krbcanonicalname=[u'host/%s@%s' % (self.fqdn, self.api.env.realm)],
             objectclass=objectclasses.host,
             ipauniqueid=[fuzzy_uuid],
             managedby_host=[self.fqdn],
diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
index 73b33c62694f4482806c519f1f12615064b35d85..c741e3eb44f7b3d175daef4b78cc10f616ef0188 100644
--- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
@@ -47,7 +47,8 @@ class StageUserTracker(Tracker):
         u'st', u'mobile', u'pager', }
     retrieve_all_keys = retrieve_keys | {
         u'cn', u'ipauniqueid', u'objectclass', u'description',
-        u'displayname', u'gecos', u'initials', u'krbprincipalname', u'manager'}
+        u'displayname', u'gecos', u'initials', u'krbcanonicalname',
+        u'krbprincipalname', u'manager'}
 
     create_keys = retrieve_all_keys | {
         u'objectclass', u'ipauniqueid', u'randompassword',
@@ -117,6 +118,7 @@ class StageUserTracker(Tracker):
             uidnumber=[u'-1'],
             gidnumber=[u'-1'],
             krbprincipalname=[u'%s@%s' % (self.uid, self.api.env.realm)],
+            krbcanonicalname=[u'%s@%s' % (self.uid, self.api.env.realm)],
             mail=[u'%s@%s' % (self.uid, self.api.env.domain)],
             gecos=[u'%s %s' % (self.givenname, self.sn)],
             loginshell=[u'/bin/sh'],
@@ -130,6 +132,7 @@ class StageUserTracker(Tracker):
                 self.attrs[key] = [u'%s@%s' % (
                     (self.kwargs[key].split('@'))[0].lower(),
                     (self.kwargs[key].split('@'))[1])]
+                self.attrs[u'krbcanonicalname'] = self.attrs[key]
             elif key == u'manager':
                 self.attrs[key] = [self.kwargs[key]]
             elif key == u'ipasshpubkey':
diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py
index 261ea69e1c713b61017cda7fb858340c070ab6e7..3585e75859573fc03f346bc4ec32fe431d30942a 100644
--- a/ipatests/test_xmlrpc/tracker/user_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/user_plugin.py
@@ -36,8 +36,8 @@ class UserTracker(Tracker):
         u'l', u'mobile', u'krbextradata', u'krblastpwdchange',
         u'krbpasswordexpiration', u'pager', u'st', u'manager', u'cn',
         u'ipauniqueid', u'objectclass', u'mepmanagedentry',
-        u'displayname', u'gecos', u'initials', u'krbprincipalname',
-        u'preserved'}
+        u'displayname', u'gecos', u'initials', u'krbcanonicalname',
+        'krbprincipalname', u'preserved'}
 
     retrieve_preserved_keys = (retrieve_keys - {u'memberof_group'}) | {
         u'preserved'}
@@ -146,6 +146,7 @@ class UserTracker(Tracker):
             uidnumber=[fuzzy_digits],
             gidnumber=[fuzzy_digits],
             krbprincipalname=[u'%s@%s' % (self.uid, self.api.env.realm)],
+            krbcanonicalname=[u'%s@%s' % (self.uid, self.api.env.realm)],
             mail=[u'%s@%s' % (self.uid, self.api.env.domain)],
             gecos=[u'%s %s' % (self.givenname, self.sn)],
             loginshell=[u'/bin/sh'],
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to