pull up r22708 from trunk

 ------------------------------------------------------------------------
 r22708 | ghudson | 2009-09-03 13:39:50 -0400 (Thu, 03 Sep 2009) | 9 lines

 ticket: 6556
 subject: Supply LDAP service principal aliases to non-referrals clients
 target_version: 1.7
 tags: pullup

 In the LDAP back end, return aliases when the CLIENT_REFERRALS_ONLY
 flag isn't set (abusing that flag to recognize a client name lookup).
 Based on a patch from Luke Howard.

ticket: 6556
version_fixed: 1.7.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23633 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 14d029c452b5ba3f567306fdda65fd72273987e6..03c3da48d78b78ec23872394f38b29aae781d91a 100644 (file)
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -69,6 +69,30 @@ berval2tl_data(struct berval *in, krb5_tl_data **out)
     return 0;
 }
 
+/* Return true if it's okay to return aliases according to flags. */
+static krb5_boolean
+aliases_ok(unsigned int flags)
+{
+    /*
+     * The current DAL does not have a flag to indicate whether
+     * aliases are okay.  For service name lookups (AS or TGT path),
+     * we can always return aliases.  For client name lookups, we can
+     * only return aliases if the client passed the canonicalize flag.
+     * We abuse the CLIENT_REFERRALS_ONLY flag to detect client name
+     * lookups.
+     *
+     * This method has the side effect of permitting aliases for
+     * lookups by administrative interfaces (e.g. kadmin).  Since we
+     * don't have explicit admin support for aliases yet, this is
+     * okay.
+     */
+    if (!(flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY))
+       return TRUE;
+    if (flags & KRB5_KDB_FLAG_CANONICALIZE)
+       return TRUE;
+    return FALSE;
+}
+
 /*
  * look up a principal in the directory.
  */
@@ -160,7 +184,7 @@ krb5_ldap_get_principal(context, searchfor, flags, entries, nentries, more)
            if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) {
                if (values[0] && strcmp(values[0], user) != 0) {
                    /* We matched an alias, not the canonical name. */
-                   if (flags & KRB5_KDB_FLAG_CANONICALIZE) {
+                   if (aliases_ok(flags)) {
                        st = krb5_ldap_parse_principal_name(values[0], &cname);
                        if (st != 0)
                            goto cleanup;