SSSD / sssd

Clone

580d618 ldap_child: do not try PKINIT

1 file Authored by sbose 4 years ago, Committed by mzidek 4 years ago,
raw patch tree parent
1 file changed. 22 lines added. 8 lines removed.
src/providers/ldap/ldap_child.c
file modified
+22 -8 
    ldap_child: do not try PKINIT
    
    if the PKINIT plugin is installed and pkinit_identities is set in
    /etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only
    wants to authenticate with a keytab. As a result ldap_child might try to
    access a Smartcard which is either not allowed at all or might cause
    unexpected delays.
    
    To avoid this the current patch sets pkinit_identities for LDAP child
    explicitly to make the PKINIT plugin fail because if installed libkrb5
    will always use it.
    
    It turned out the setting pre-authentication options requires some
    internal flags to be set and krb5_get_init_creds_opt_alloc() must be
    used to initialize the options struct.
    
    Related to https://pagure.io/SSSD/sssd/issue/4126
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
file modified
+22 -8
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.