freeipa

Clone
Source Code
GIT

8b6d1ab ipa-kdb: support subordinate/superior UPN suffixes

2 files Authored by abbra 3 years ago, Committed by rcritten 3 years ago,
raw patch tree parent
2 files changed. 31 lines added. 0 lines removed.
daemons/ipa-kdb/ipa_kdb_mspac.c
file modified
+30 -0
daemons/ipa-kdb/ipa_kdb_mspac_private.h
file modified
+1 -0 
    ipa-kdb: support subordinate/superior UPN suffixes
    
    [MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
    trusted domain information in Active Directory to conform certain rules.
    One side-effect of those rules is that list of UPN suffixes reported
    through the netr_DsRGetForestTrustInformation function is dynamically
    filtered to deduplicate subordinate suffixes.
    
    It means that if list of UPN suffixes contains the following top level
    names (TLNs):
    
      fabrikam.com
      sub.fabrikam.com
    
    then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
    as the TLN, fully filtering 'sub.fabrikam.com'.
    
    IPA KDB driver used exact comparison of the UPN suffixes so any
    subordinate had to be specified exactly.
    
    Modify logic so that if exact check does not succeed, we validate a
    realm to test being a subordinate of the known UPN suffixes. The
    subordinate check is done by making sure UPN suffix is at the end of the
    test realm and is immediately preceded with a dot.
    
    Because the function to check suffixes potentially called for every
    Kerberos principal, precalculate and cache length for each UPN suffix at
    the time we retrieve the list of them.
    
    Fixes: https://pagure.io/freeipa/issue/8554
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Robbie Harwood <rharwood@redhat.com>
file modified
+30 -0
file modified
+1 -0
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.