From 117d6e9be0c386f134bd27eee3377e70df77f0f0 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Jun 07 2017 12:00:06 +0000 Subject: ipa-kdb: use canonical principal in certauth plugin Currently the certauth plugin use the unmodified principal from the request to lookup the user. This might fail if e.g. enterprise principals are use. With this patch the canonical principal form the kdc entry is used. Resolves https://pagure.io/freeipa/issue/6993 Reviewed-By: David Kupka --- diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c index da9a9cb..66c2d08 100644 --- a/daemons/ipa-kdb/ipa_kdb_certauth.c +++ b/daemons/ipa-kdb/ipa_kdb_certauth.c @@ -284,7 +284,7 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, } } - ret = krb5_unparse_name(context, princ, &principal); + ret = krb5_unparse_name(context, db_entry->princ, &principal); if (ret != 0) { ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH; goto done;