[16482] in Kerberos-V5-bugs
[krbdev.mit.edu #8877] Issue setting require_auth attribute with ldap
daemon@ATHENA.MIT.EDU (Machin, Glenn D via RT)
Sat Feb 22 17:29:39 2020
From: "Machin, Glenn D via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <DAE1CFB0-68DA-4ECF-BD2C-7FCC3BD1F96D@sandia.gov>
Message-ID: <rt-4.4.4-52589-1582410534-1153.8877-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8877":;
Date: Sat, 22 Feb 2020 17:28:54 -0500
MIME-Version: 1.0
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: krb5-bugs-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Sat Feb 22 17:28:54 2020: Request 8877 was acted upon.
Transaction: Ticket created by GMachin@sandia.gov
Queue: krb5
Subject: Issue setting require_auth attribute with ldap backend with release 1.17
Owner: Nobody
Requestors: GMachin@sandia.gov
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8877 >
After setting an authentication indicator on a service. You cannot use delstr to remove it.
kadmin.local: setstr host/hostname.domain@realm require_auth LOA2
Attribute set for principal " host/hostname.domain@realm "
kadmin.local: getstrs host/hostname.domain
require_auth: LOA2
kadmin.local: delstr host/hostname.domain require_auth
Attribute removed from principal "host/hostname.domain@realm".
kadmin.local: getstrs host/hostname.domain
require_auth: LOA2
krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c nevers checks to see if krbPrincipalAuthInd exists, in the case where it’s not being set.
/* Parse the "require_auth" string for auth indicators, adding them to the
* krbPrincipalAuthInd attribute. */
static krb5_error_code
update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry,
LDAPMod ***mods)
{
int i = 0;
krb5_error_code ret;
char *auth_ind = NULL;
char *strval[10] = { 0 };
char *ai, *ai_save = NULL;
int sv_num = sizeof(strval) / sizeof(*strval);
ret = krb5_dbe_get_string(context, entry, KRB5_KDB_SK_REQUIRE_AUTH,
&auth_ind);
if (ret || auth_ind == NULL)
goto cleanup;
ai = strtok_r(auth_ind, " ", &ai_save);
while (ai != NULL && i < sv_num) {
strval[i++] = ai;
ai = strtok_r(NULL, " ", &ai_save);
}
ret = krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd",
LDAP_MOD_REPLACE, strval);
cleanup:
krb5_dbe_free_string(context, auth_ind);
return ret;
}
Change above to :
int attr_mask = 0;
krb5_boolean has_AuthInd;
if (ret || auth_ind == NULL)
{
/* No krbPrincipalAuthInd to be set - lets check and see if current */
/* settings in ldap has it set. If so then we need to delete it */
ret = krb5_get_attributes_mask(context, entry, &attr_mask);
if (ret == 0){
/* If current ldap entry has krbPrincipalAuthInd set we need to delete it */
has_AuthInd = ((attr_mask & KDB_AUTH_IND_ATTR ) != 0);
if (has_AuthInd) {
ret = krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd",
LDAP_MOD_DELETE,
NULL );
}
}
goto cleanup;
}
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
