[28841] in CVS-changelog-for-Kerberos-V5
krb5 commit: Disable principal renames for LDAP
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Apr 1 17:23:55 2015
Date: Wed, 1 Apr 2015 17:23:51 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201504012123.t31LNpPX002353@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/8483243664a289fea142d8a9de61eba30d713871
commit 8483243664a289fea142d8a9de61eba30d713871
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Mar 26 12:47:06 2015 -0400
Disable principal renames for LDAP
The current principal rename procedure does not work with the LDAP KDB
module, instead having the effect of deleting the principal. The fix
is not easy and requires amending the DAL (see issue #8065). For now,
detect LDAP and error out when a rename operation is attempted.
ticket: 8162 (new)
target_version: 1.13.2
tags: pullup
src/lib/kadm5/srv/svr_principal.c | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index d4e74cc..27f8eba 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -782,6 +782,7 @@ kadm5_rename_principal(void *server_handle,
kadm5_server_handle_t handle = server_handle;
krb5_int16 stype, i;
krb5_data *salt = NULL;
+ krb5_tl_data tl;
CHECK_HANDLE(server_handle);
@@ -798,6 +799,18 @@ kadm5_rename_principal(void *server_handle,
if ((ret = kdb_get_entry(handle, source, &kdb, &adb)))
return ret;
+ /*
+ * This rename procedure does not work with the LDAP KDB module (see issue
+ * #8065). As a stopgap, look for tl-data indicating LDAP and error out.
+ * 0x7FFE is KDB_TL_USER_INFO as defined in kdb_ldap.h.
+ */
+ tl.tl_data_type = 0x7FFE;
+ if (krb5_dbe_lookup_tl_data(handle->context, kdb, &tl) == 0 &&
+ tl.tl_data_length > 0) {
+ ret = KRB5_PLUGIN_OP_NOTSUPP;
+ goto done;
+ }
+
/* Transform salts as necessary. */
for (i = 0; i < kdb->n_key_data; i++) {
ret = krb5_dbe_compute_salt(handle->context, &kdb->key_data[i],
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5