From 25033eb499af95f458bd975eddd954c4b6a086ff Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 1 Jun 2017 18:17:53 +0200 Subject: [PATCH] ipa-kdb: use canonical principal in certauth plugin Currently the certauth plugin use the unmodified principal from the request to lookup the user. This might fail if e.g. enterprise principals are use. With this patch the canonical principal form the kdc entry is used. Resolves https://pagure.io/freeipa/issue/6993 Reviewed-By: David Kupka --- daemons/ipa-kdb/ipa_kdb_certauth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c index da9a9cb87feca68ee591da70a3239dc86749bae5..66c2d08cbb9d23a8891b9cb6ca238925530eb40c 100644 --- a/daemons/ipa-kdb/ipa_kdb_certauth.c +++ b/daemons/ipa-kdb/ipa_kdb_certauth.c @@ -284,7 +284,7 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, } } - ret = krb5_unparse_name(context, princ, &principal); + ret = krb5_unparse_name(context, db_entry->princ, &principal); if (ret != 0) { ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH; goto done; -- 2.9.4