freeipa

Clone
Source Code
GIT

#3966 Fix handling of multiple krbPrincipalNames and of krbCanonicalNames in LDAP
Closed: Fixed None Opened 10 years ago by mkosek.

Closed: Fixed
Reopen Issue

From freeipa-devel thread: comparing master's ipa-kdb's handling of krbPrincipalName and krbCanonicalName attributes with that of the upstream kldap driver, there are a few differences which I'm thinking are bugs.

  • If an entry has multiple krbPrincipalName values, the name which was used to look it up is required to match only the last value of the attribute that we read, not any of them.
  • If an entry has a krbCanonicalName value, and the name which we used to look it up doesn't match it, if database aliases are allowed, we return an error instead of using it to populate the returned entry.

Related ticket: #3961 and #3864.

Moving to the same milestone as #3864.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

Very related ticket: #3679. It should be investigated as well to see if it makes sense to fix them both.

master:

  • fabd5cd Accept any alias, not just the last value
  • 16092c3 Restore krbCanonicalName handling

Metadata Update from @mkosek:
- Issue assigned to nalin
- Issue set to the milestone: FreeIPA 4.0 Backlog
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
KDC LDAP driver
None
1
None
None
npmccallum
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.