Blame SOURCES/0185-ipa-kdb-use-canonical-principal-in-certauth-plugin.patch
|
 |
ac7d03 |
From 25033eb499af95f458bd975eddd954c4b6a086ff Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ac7d03 |
Date: Thu, 1 Jun 2017 18:17:53 +0200
|
|
|
ac7d03 |
Subject: [PATCH] ipa-kdb: use canonical principal in certauth plugin
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Currently the certauth plugin use the unmodified principal from the
|
|
|
ac7d03 |
request to lookup the user. This might fail if e.g. enterprise
|
|
|
ac7d03 |
principals are use. With this patch the canonical principal form the kdc
|
|
|
ac7d03 |
entry is used.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Resolves https://pagure.io/freeipa/issue/6993
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
daemons/ipa-kdb/ipa_kdb_certauth.c | 2 +-
|
|
|
ac7d03 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
|
|
|
ac7d03 |
index da9a9cb87feca68ee591da70a3239dc86749bae5..66c2d08cbb9d23a8891b9cb6ca238925530eb40c 100644
|
|
|
ac7d03 |
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
|
|
|
ac7d03 |
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
|
|
|
ac7d03 |
@@ -284,7 +284,7 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
|
|
|
ac7d03 |
}
|
|
|
ac7d03 |
}
|
|
|
ac7d03 |
|
|
|
ac7d03 |
- ret = krb5_unparse_name(context, princ, &principal);
|
|
|
ac7d03 |
+ ret = krb5_unparse_name(context, db_entry->princ, &principal);
|
|
|
ac7d03 |
if (ret != 0) {
|
|
|
ac7d03 |
ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
|
|
|
ac7d03 |
goto done;
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.9.4
|
|
|
ac7d03 |
|