[28841] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Disable principal renames for LDAP

daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Apr 1 17:23:55 2015

Date: Wed, 1 Apr 2015 17:23:51 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201504012123.t31LNpPX002353@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/8483243664a289fea142d8a9de61eba30d713871
commit 8483243664a289fea142d8a9de61eba30d713871
Author: Greg Hudson <ghudson@mit.edu>
Date:   Thu Mar 26 12:47:06 2015 -0400

    Disable principal renames for LDAP
    
    The current principal rename procedure does not work with the LDAP KDB
    module, instead having the effect of deleting the principal.  The fix
    is not easy and requires amending the DAL (see issue #8065).  For now,
    detect LDAP and error out when a rename operation is attempted.
    
    ticket: 8162 (new)
    target_version: 1.13.2
    tags: pullup

 src/lib/kadm5/srv/svr_principal.c |   13 +++++++++++++
 1 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index d4e74cc..27f8eba 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -782,6 +782,7 @@ kadm5_rename_principal(void *server_handle,
     kadm5_server_handle_t handle = server_handle;
     krb5_int16 stype, i;
     krb5_data *salt = NULL;
+    krb5_tl_data tl;
 
     CHECK_HANDLE(server_handle);
 
@@ -798,6 +799,18 @@ kadm5_rename_principal(void *server_handle,
     if ((ret = kdb_get_entry(handle, source, &kdb, &adb)))
         return ret;
 
+    /*
+     * This rename procedure does not work with the LDAP KDB module (see issue
+     * #8065).  As a stopgap, look for tl-data indicating LDAP and error out.
+     * 0x7FFE is KDB_TL_USER_INFO as defined in kdb_ldap.h.
+     */
+    tl.tl_data_type = 0x7FFE;
+    if (krb5_dbe_lookup_tl_data(handle->context, kdb, &tl) == 0 &&
+        tl.tl_data_length > 0) {
+        ret = KRB5_PLUGIN_OP_NOTSUPP;
+        goto done;
+    }
+
     /* Transform salts as necessary. */
     for (i = 0; i < kdb->n_key_data; i++) {
         ret = krb5_dbe_compute_salt(handle->context, &kdb->key_data[i],
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post