Supply canonical name if present in LDAP iteration
authorGreg Hudson <ghudson@mit.edu>
Thu, 3 Sep 2009 20:41:56 +0000 (20:41 +0000)
committerGreg Hudson <ghudson@mit.edu>
Thu, 3 Sep 2009 20:41:56 +0000 (20:41 +0000)
In the presence of aliases, LDAP iteration was supplying the first
principal it found within the expected realm, which is not necessarily
the same as the canonical name.  If the entry has a canonical name
field, use that in preference to any of the principal names.

ticket: 6557
target_version: 1.7.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22710 dc483132-0cff-0310-8789-dd5450dbe970

src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c

index 8b3c7a14a3dc3db1497b6d2dce599eb9477abb4e..1cf67629bc40b6753e0848f54972855c0a615b2d 100644 (file)
@@ -188,7 +188,10 @@ krb5_ldap_iterate(context, match_expr, func, func_arg)
 
        LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes);
        for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) {
-           if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
+           values=ldap_get_values(ld, ent, "krbcanonicalname");
+           if (values == NULL)
+               values=ldap_get_values(ld, ent, "krbprincipalname");
+           if (values != NULL) {
                for (i=0; values[i] != NULL; ++i) {
                    if (krb5_ldap_parse_principal_name(values[i], &princ_name) != 0)
                        continue;
@@ -201,13 +204,11 @@ krb5_ldap_iterate(context, match_expr, func, func_arg)
                        (*func)(func_arg, &entry);
                        krb5_dbe_free_contents(context, &entry);
                        (void) krb5_free_principal(context, principal);
-                       if (princ_name)
-                           free(princ_name);
+                       free(princ_name);
                        break;
                    }
                    (void) krb5_free_principal(context, principal);
-                   if (princ_name)
-                       free(princ_name);
+                   free(princ_name);
                }
                ldap_value_free(values);
            }