[17004] in Kerberos-V5-bugs
[krbdev.mit.edu #9163] Add alias support
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Thu Feb 27 14:39:16 2025
From: "Greg Hudson via RT" <rt-comment@kerborg-prod-app-1.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-3199705-1740685148-623.9163-4-0@kerborg-prod-app-1.mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9163":;
Date: Thu, 27 Feb 2025 14:39:08 -0500
MIME-Version: 1.0
Reply-To: rt-comment@kerborg-prod-app-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Thu Feb 27 14:39:07 2025: Request 9163 was acted upon.
Transaction: Ticket created by ghudson@mit.edu
Queue: krb5
Subject: Add alias support
Owner: Nobody
Requestors: ghudson@mit.edu
Status: resolved
Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9163 >
Add alias support
Add a new kadmin command add_alias. Implement it for DB2 and LMDB by
writing stub principal entries with a tl-data entry giving the target
name. Add libkdb5 functions to create and interpret alias entries.
Handle these stub entries in krb5_db_get_principal(), iteratively
resolving aliases up to a depth of 10.
To allow kadm5_delete_principal() to work on aliases, remove the code
that fetches the entry prior to deletion; it was needed before commit
0780e46fc13dbafa177525164997cd204cc50b51 to decrement the policy
reference count, but now serves no purpose. Adjust kdb_delete_entry()
to translate KRB5_KDB_NOENTRY instead of ignoring it, as we still want
to return KADM5_UNK_PRINC when deleting a nonexistent principal name.
Modify the LDAP KDB module to work with alias entries. In
krb5_ldap_put_principal(), recognize stub alias entries and add an
alias to the object for the target principal. In
krb5_ldap_delete_principal(), don't delete the LDAP object when
deleting an alias name. In krb5_ldap_iterate(), generate stub entries
for each alias name in addition to the populated entry for the
canonical name. A small amount of refactoring was done as part of
this work: the LDAP-specific principal name parsing and unparsing
functions were simplified, and a helper function search_princ() was
added to find the LDAP object for a principal name.
In kdb5_util tabdump, add a dump type "alias" to display a list of
aliases in the database.
Based on work by Alexander Bokovoy.
https://github.com/krb5/krb5/commit/5d3fe31bf1dc48e8ee946bf65428611958cac329
Author: Greg Hudson <ghudson@mit.edu>
Commit: 5d3fe31bf1dc48e8ee946bf65428611958cac329
Branch: master
doc/admin/admin_commands/kadmin_local.rst | 22 +-
doc/admin/admin_commands/kdb5_util.rst | 8 +
doc/admin/conf_ldap.rst | 7 +-
doc/admin/database.rst | 4 +
src/include/kdb.h | 28 +-
src/include/krb5/kadm5_auth_plugin.h | 11 +-
src/include/krb5/kadm5_hook_plugin.h | 8 +-
src/kadmin/cli/kadmin.c | 49 +++
src/kadmin/cli/kadmin.h | 2 +
src/kadmin/cli/kadmin_ct.ct | 3 +
src/kadmin/dbutil/tabdump.c | 38 ++
src/kadmin/server/auth.c | 8 +-
src/kadmin/server/auth.h | 2 +
src/kadmin/server/auth_acl.c | 14 +
src/kadmin/server/kadm_rpc_svc.c | 7 +
src/kadmin/server/server_stubs.c | 259 ++++++++-----
src/lib/kadm5/admin.h | 3 +
src/lib/kadm5/admin_xdr.h | 1 +
src/lib/kadm5/clnt/client_principal.c | 20 +
src/lib/kadm5/clnt/client_rpc.c | 8 +
src/lib/kadm5/clnt/libkadm5clnt_mit.exports | 2 +
src/lib/kadm5/kadm_err.et | 1 +
src/lib/kadm5/kadm_rpc.h | 12 +
src/lib/kadm5/kadm_rpc_xdr.c | 15 +
src/lib/kadm5/server_internal.h | 7 +
src/lib/kadm5/srv/kadm5_hook.c | 10 +-
src/lib/kadm5/srv/libkadm5srv_mit.exports | 2 +
src/lib/kadm5/srv/server_kdb.c | 4 +-
src/lib/kadm5/srv/svr_principal.c | 49 ++-
src/lib/kdb/kdb5.c | 112 +++++-
src/lib/kdb/libkdb5.exports | 2 +
src/lib/krb5/error_tables/kdb5_err.et | 1 +
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c | 227 ++++++-----
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h | 6 +-
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 429 ++++++++++++---------
src/tests/Makefile.in | 1 +
src/tests/t_alias.py | 124 ++++++
src/tests/t_kadmin_acl.py | 102 ++++-
src/tests/t_kdb.py | 44 ++-
src/tests/t_tabdump.py | 6 +
40 files changed, 1238 insertions(+), 420 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
