#define KRB5_KDB_FLAG_USER_TO_USER 0x00000800
/* Cross-realm */
#define KRB5_KDB_FLAG_CROSS_REALM 0x00001000
+/* Allow in-realm aliases */
+#define KRB5_KDB_FLAG_ALIAS_OK 0x00002000
#define KRB5_KDB_FLAGS_S4U ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \
KRB5_KDB_FLAG_CONSTRAINED_DELEGATION )
* db_get_principal):
*
* KRB5_KDB_FLAG_CANONICALIZE: Set by the KDC when looking up entries for
- * an AS or TGS request with canonicalization requested. Affects
- * whether the module should return out-of-realm referrals and aliases
- * (see below).
+ * an AS or TGS request with canonicalization requested. Determines
+ * whether the module should return out-of-realm referrals.
*
- * KRB5_KDB_INCLUDE_PAC: Set by the KDC during an AS request when the
+ * KRB5_KDB_FLAG_INCLUDE_PAC: Set by the KDC during an AS request when the
* client requested PAC information during padata, and during most TGS
* requests. Indicates that the module should include PAC information
* when generating authorization data.
*
* KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY: Set by the KDC when looking up the
* client entry in an AS request. Affects how the module should return
- * out-of-realm referrals and whether the module should return in-realm
- * aliases (see below).
+ * out-of-realm referrals.
*
* KRB5_KDB_FLAG_MAP_PRINCIPALS: Set by the KDC when looking up the client
* entry during TGS requests, except for S4U TGS requests and requests
* during a TGS request, if the client principal is not part of the
* realm being served.
*
- * A module can return in-realm aliases if KRB5_KDB_FLAG_CANONICALIZE is
- * set, or if KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is not set (because
- * aliases are always okay for TGS requests). To return an in-realm alias,
- * fill in a different value for entries->princ than the one requested.
+ * KRB5_KDB_FLAG_ALIAS_OK: Set by the KDC for server principal lookups and
+ * for AS request client principal lookups with canonicalization
+ * requested; also set by the admin interface. Determines whether the
+ * module should return in-realm aliases.
+ *
+ * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set.
+ * To return an in-realm alias, fill in a different value for
+ * entries->princ than the one requested.
*
* A module can return out-of-realm referrals if KRB5_KDB_FLAG_CANONICALIZE
* is set. For AS request clients (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is
krb5_princ_type(kdc_context,
request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
+ setflag(c_flags, KRB5_KDB_FLAG_ALIAS_OK);
}
if (include_pac_p(kdc_context, request)) {
setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
#endif
s_flags = 0;
+ setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
/* XXX make sure server here has the proper realm...taken from AP_REQ
header? */
+ setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
*kdb_ptr = NULL;
- ret = krb5_db_get_principal(handle->context, principal, 0, &kdb);
+ ret = krb5_db_get_principal(handle->context, principal,
+ KRB5_KDB_FLAG_ALIAS_OK, &kdb);
if (ret == KRB5_KDB_NOENTRY)
return(KADM5_UNK_PRINC);
if (ret)
return 0;
}
-/* Return true if it's okay to return aliases according to flags. */
-static krb5_boolean
-aliases_ok(unsigned int flags)
-{
- /*
- * The current DAL does not have a flag to indicate whether
- * aliases are okay. For service name lookups (AS or TGT path),
- * we can always return aliases. For client name lookups, we can
- * only return aliases if the client passed the canonicalize flag.
- * We abuse the CLIENT_REFERRALS_ONLY flag to detect client name
- * lookups.
- *
- * This method has the side effect of permitting aliases for
- * lookups by administrative interfaces (e.g. kadmin). Since we
- * don't have explicit admin support for aliases yet, this is
- * okay.
- */
- if (!(flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY))
- return TRUE;
- if (flags & KRB5_KDB_FLAG_CANONICALIZE)
- return TRUE;
- return FALSE;
-}
-
/*
* look up a principal in the directory.
*/
if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) {
if (values[0] && strcmp(values[0], user) != 0) {
/* We matched an alias, not the canonical name. */
- if (aliases_ok(flags)) {
+ if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
st = krb5_ldap_parse_principal_name(values[0], &cname);
if (st != 0)
goto cleanup;