From c2fe77b2277513d01b56dc26391e8e7cfcbe7429 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 22 Jul 2016 12:20:33 +0200
Subject: [PATCH 61/62] SDAP: add special handling for IPA Kerberos enterprise
principal strings
Unfortunately principal aliases with an alternative realm are stored in
IPA as the string representation of an enterprise principal, i.e.
name\@alt.realm@IPA.REALM. To allow searches with the plain alias
'name@alt.realm' the returned value is converted before it is saved to
the cache.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 15694ca762f61a414f0017c57ed97a8d57456b80)
---
src/providers/ldap/sdap_async_users.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index 28101a2d8a38f97d09d50a9f7e071a030b4f9719..cccd2506b3e1849101a8a06c39fe6cab263777b6 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -143,6 +143,8 @@ int sdap_save_user(TALLOC_CTX *memctx,
char *dom_sid_str = NULL;
struct sss_domain_info *subdomain;
size_t c;
+ char *p1;
+ char *p2;
DEBUG(SSSDBG_TRACE_FUNC, "Save user\n");
@@ -448,6 +450,21 @@ int sdap_save_user(TALLOC_CTX *memctx,
goto done;
}
+ /* Check for IPA Kerberos enterprise principal strings
+ * 'user\@my.realm@IPA.REALM' and use 'user@my.realm' */
+ if ( (p1 = strchr(upn,'\\')) != NULL
+ && *(p1 + 1) == '@'
+ && (p2 = strchr(p1 + 2, '@')) != NULL) {
+ *p1 = '\0';
+ *p2 = '\0';
+ upn = talloc_asprintf(tmpctx, "%s%s", upn, p1 + 1);
+ if (upn == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
if (dp_opt_get_bool(opts->basic, SDAP_FORCE_UPPER_CASE_REALM)) {
make_realm_upper_case(upn);
}
--
2.4.11