|
|
53a374 |
From a90a67fc7c4ef114e5f5336d868009fd0caa956b Mon Sep 17 00:00:00 2001
|
|
|
53a374 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
53a374 |
Date: Thu, 15 Dec 2016 16:30:00 +0200
|
|
|
53a374 |
Subject: [PATCH] ipa-kdb: search for password policies globally
|
|
|
53a374 |
|
|
|
53a374 |
With the CoS templates now used to create additional password policies
|
|
|
53a374 |
per object type that are placed under the object subtrees, DAL driver
|
|
|
53a374 |
needs to search for the policies in the whole tree.
|
|
|
53a374 |
|
|
|
53a374 |
Individual policies referenced by the krbPwdPolicyReference attribute
|
|
|
53a374 |
are always searched by their full DN and with the base scope. However,
|
|
|
53a374 |
when KDC asks a DAL driver to return a password policy by name, we don't
|
|
|
53a374 |
have any specific base to search. The original code did search by the
|
|
|
53a374 |
realm subtree.
|
|
|
53a374 |
|
|
|
53a374 |
Fixes https://fedorahosted.org/freeipa/ticket/6561
|
|
|
53a374 |
|
|
|
53a374 |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
53a374 |
---
|
|
|
53a374 |
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +-
|
|
|
53a374 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
53a374 |
|
|
|
53a374 |
diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
|
|
53a374 |
index 076314a12840881a340763ab5693131aaccafec6..0c810af98f7a37b76afc4ca40b29441d9793f12f 100644
|
|
|
53a374 |
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
|
|
53a374 |
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
|
|
53a374 |
@@ -163,7 +163,7 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
|
|
|
53a374 |
}
|
|
|
53a374 |
|
|
|
53a374 |
kerr = ipadb_simple_search(ipactx,
|
|
|
53a374 |
- ipactx->realm_base, LDAP_SCOPE_SUBTREE,
|
|
|
53a374 |
+ ipactx->base, LDAP_SCOPE_SUBTREE,
|
|
|
53a374 |
src_filter, std_pwdpolicy_attrs, &res;;
|
|
|
53a374 |
if (kerr) {
|
|
|
53a374 |
goto done;
|
|
|
53a374 |
--
|
|
|
53a374 |
2.10.2
|
|
|
53a374 |
|