Commit - freeipa - ec8a560392c89da96a805e9779eaa2041dd992c1

freeipa

`ec8a560` ipa-kdb: support getprincs request in kadmin.local

1 file Authored by abbra 3 years ago, Committed by rcritten 3 years ago,

raw patch tree parent

1 file changed. 17 lines added. 2 lines removed.

    ipa-kdb: support getprincs request in kadmin.local
    
    kadmin.local getprincs command results in passing '*' as a principal to
    KDB driver function that looks up the principals.
    
    The whole filter looks like this
    
     (&(|
        (objectclass=krbprincipalaux)
        (objectclass=krbprincipal)
        (objectclass=ipakrbprincipal))
       (|(ipakrbprincipalalias=*)
         (krbprincipalname:caseIgnoreIA5Match:=*)))
    
    There are two parts of the LDAP filter we use to look up principals, the
    part with 'krbprincipalname' uses extensible filter syntax of RFC 4515
    section 3:
    
          extensible     = ( attr [dnattrs]
                               [matchingrule] COLON EQUALS assertionvalue )
                           / ( [dnattrs]
                                matchingrule COLON EQUALS assertionvalue )
    
    In case we've got a principal name as '*' we have to follow RFC 4515
    section 3 and reencode it using <valueencoding> rule from RFC 4511
    section 4.1.6 but only to the part of the filter that does use assertion
    value.
    
    Fixes: https://pagure.io/freeipa/issue/8490
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

daemons/ipa-kdb/ipa_kdb_principals.c

file modified

+17 -2

freeipa

Source Code

ec8a560 ipa-kdb: support getprincs request in kadmin.local

1 file Authored by abbra 3 years ago, Committed by rcritten 3 years ago,

`ec8a560` ipa-kdb: support getprincs request in kadmin.local