From 7ea3b86696f5451f1d227d365018ab7dc53024af Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Jun 01 2023 06:01:00 +0000 Subject: Filter out constrained delegation ACL from KDB entry Commit f78dc0b163 was missing an exception for the constrained delegation ACL TL data type during the principal entry update operation. This ACL is not meant to be stored as encoded data in krbExtraData. Signed-off-by: Julien Rische Reviewed-By: Rob Crittenden Reviewed-By: Alexander Bokovoy --- diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index e7fd388..e94e1f8 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -2063,6 +2063,7 @@ done: static bool should_filter_out_attr(krb5_tl_data *data) { switch (data->tl_data_type) { + case KRB5_TL_CONSTRAINED_DELEGATION_ACL: case KRB5_TL_DB_ARGS: case KRB5_TL_KADM_DATA: case KRB5_TL_LAST_ADMIN_UNLOCK: