# specific syntax definitions
# Kerberos Object Class(6) class# version#
# specific class definitions
+#
+# iso(1)
+# member-body(2)
+# United States(840)
+# mit (113554)
+# infosys(1)
+# ldap(4)
+# attributeTypes(1)
+# Kerberos(6)
########################################################################
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
+##### If there are multiple krbPrincipalName values for an entry, this
+##### is the canonical principal name in the RFC 1964 specified
+##### format. (If this attribute does not exist, then all
+##### krbPrincipalName values are treated as canonical.)
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetypes: ( 1.2.840.113554.1.4.1.6.1
+ NAME 'krbCanonicalName'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE)
+
##### This specifies the type of the principal, the types could be any of
##### the types mentioned in section 6.2 of RFC 4120
objectClasses: ( 2.16.840.1.113719.1.301.6.8.1
NAME 'krbPrincipalAux'
AUXILIARY
- MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
+ MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
###### This class is used to create additional principals and stand alone principals.
# specific syntax definitions
# Kerberos Object Class(6) class# version#
# specific class definitions
+#
+# iso(1)
+# member-body(2)
+# United States(840)
+# mit (113554)
+# infosys(1)
+# ldap(4)
+# attributeTypes(1)
+# Kerberos(6)
########################################################################
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
+##### If there are multiple krbPrincipalName values for an entry, this
+##### is the canonical principal name in the RFC 1964 specified
+##### format. (If this attribute does not exist, then all
+##### krbPrincipalName values are treated as canonical.)
+
+attributetype ( 1.2.840.113554.1.4.1.6.1
+ NAME 'krbCanonicalName'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE)
##### This specifies the type of the principal, the types could be any of
##### the types mentioned in section 6.2 of RFC 4120
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
-##### This stores the alternate principal names for the principal in the RFC 1961 specified format
+##### This stores the alternate principal names for the principal in the RFC 1964 specified format
attributetype ( 2.16.840.1.113719.1.301.4.47.1
NAME 'krbPrincipalAliases'
NAME 'krbPrincipalAux'
SUP top
AUXILIARY
- MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
+ MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
###### This class is used to create additional principals and stand alone principals.
struct timeval timelimit = {300, 0}; /* 5 minutes */
char *principal_attributes[] = { "krbprincipalname",
+ "krbcanonicalname",
"objectclass",
"krbprincipalkey",
"krbmaxrenewableage",
char *user=NULL, *filter=NULL, **subtree=NULL;
unsigned int tree=0, ntrees=1, princlen=0;
krb5_error_code tempst=0, st=0;
- char **values=NULL;
+ char **values=NULL, *cname=NULL;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
krb5_ldap_context *ldap_context=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
+ krb5_principal cprinc=NULL;
/* Clear the global error string */
krb5_clear_error_message(context);
* NOTE: a principalname k* in ldap server will return all the principals starting with a k
*/
for (i=0; values[i] != NULL; ++i) {
- if (strcasecmp(values[i], user) == 0) {
+ if (strcmp(values[i], user) == 0) {
*nentries = 1;
break;
}
continue;
}
- if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, searchfor,
- entries)) != 0)
+ if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) {
+ if (values[0] && strcmp(values[0], user) != 0) {
+ /* We matched an alias, not the canonical name. */
+ if (flags & KRB5_KDB_FLAG_CANONICALIZE) {
+ st = krb5_ldap_parse_principal_name(values[0], &cname);
+ if (st != 0)
+ goto cleanup;
+ st = krb5_parse_name(context, cname, &cprinc);
+ if (st != 0)
+ goto cleanup;
+ } else /* No canonicalization, so don't return aliases. */
+ *nentries = 0;
+ }
+ ldap_value_free(values);
+ if (*nentries == 0)
+ continue;
+ }
+
+ if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent,
+ cprinc ? cprinc : searchfor,
+ entries)) != 0)
goto cleanup;
}
ldap_msgfree(result);
if (user)
free(user);
+ if (cname)
+ free(cname);
+
+ if (cprinc)
+ krb5_free_principal(context, cprinc);
+
return st;
}
projects / krb5.git / commitdiff