#3966 Fix handling of multiple krbPrincipalNames and of krbCanonicalNames in LDAP
Closed: Fixed None Opened 5 years ago by mkosek.

From freeipa-devel thread: comparing master's ipa-kdb's handling of krbPrincipalName and krbCanonicalName attributes with that of the upstream kldap driver, there are a few differences which I'm thinking are bugs.

  • If an entry has multiple krbPrincipalName values, the name which was used to look it up is required to match only the last value of the attribute that we read, not any of them.
  • If an entry has a krbCanonicalName value, and the name which we used to look it up doesn't match it, if database aliases are allowed, we return an error instead of using it to populate the returned entry.

Moving to the same milestone as #3864.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

Very related ticket: #3679. It should be investigated as well to see if it makes sense to fix them both.

master:

  • fabd5cd Accept any alias, not just the last value
  • 16092c3 Restore krbCanonicalName handling

Metadata Update from @mkosek:
- Issue assigned to nalin
- Issue set to the milestone: FreeIPA 4.0 Backlog

2 years ago

Login to comment on this ticket.

Metadata