char *auth_ind = NULL;
char *strval[10] = { 0 };
char *ai, *ai_save = NULL;
- int sv_num = sizeof(strval) / sizeof(*strval);
+ int mask, sv_num = sizeof(strval) / sizeof(*strval);
ret = krb5_dbe_get_string(context, entry, KRB5_KDB_SK_REQUIRE_AUTH,
&auth_ind);
- if (ret || auth_ind == NULL)
- goto cleanup;
+ if (ret)
+ return ret;
+ if (auth_ind == NULL) {
+ /* If we know krbPrincipalAuthInd attributes are present from loading
+ * the entry, delete them. */
+ ret = krb5_get_attributes_mask(context, entry, &mask);
+ if (!ret && (mask & KDB_AUTH_IND_ATTR)) {
+ return krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd",
+ LDAP_MOD_DELETE, NULL);
+ }
+ return 0;
+ }
ai = strtok_r(auth_ind, " ", &ai_save);
while (ai != NULL && i < sv_num) {
ret = krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd",
LDAP_MOD_REPLACE, strval);
-
-cleanup:
krb5_dbe_free_string(context, auth_ind);
return ret;
}
} /* Modify Key data ends here */
- /* Auth indicators will also be stored in krbExtraData when processing
- * tl_data. */
- st = update_ldap_mod_auth_ind(context, entry, &mods);
- if (st != 0)
- goto cleanup;
-
/* Set tl_data */
if (entry->tl_data != NULL) {
int count = 0;
struct berval **ber_tl_data = NULL;
krb5_tl_data *ptr;
krb5_timestamp unlock_time;
+
+ /* Normalize required auth indicators, but also store them as string
+ * attributes within krbExtraData. */
+ st = update_ldap_mod_auth_ind(context, entry, &mods);
+ if (st != 0)
+ goto cleanup;
+
for (ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
#ifdef SECURID
mark('LDAP auth indicator')
-# Test auth indicator support
+# Test require_auth normalization.
realm.addprinc('authind', password('authind'))
realm.run([kadminl, 'setstr', 'authind', 'require_auth', 'otp radius'])
+# Check that krbPrincipalAuthInd attributes are set when the string
+# attribute it set.
out = ldap_search('(krbPrincipalName=authind*)')
if 'krbPrincipalAuthInd: otp' not in out:
fail('Expected krbPrincipalAuthInd value not in output')
if 'krbPrincipalAuthInd: radius' not in out:
fail('Expected krbPrincipalAuthInd value not in output')
+# Check that the string attribute still appears when the principal is
+# loaded.
realm.run([kadminl, 'getstrs', 'authind'],
expected_msg='require_auth: otp radius')
+# Modify the LDAP attributes and check that the change is reflected in
+# the string attribute.
+ldap_modify('dn: krbPrincipalName=authind@KRBTEST.COM,cn=t1,cn=krb5\n'
+ 'changetype: modify\n'
+ 'replace: krbPrincipalAuthInd\n'
+ 'krbPrincipalAuthInd: radius\n'
+ 'krbPrincipalAuthInd: pkinit\n')
+realm.run([kadminl, 'getstrs', 'authind'],
+ expected_msg='require_auth: radius pkinit')
+
+# Regression test for #8877: remove the string attribute and check
+# that it is reflected in the LDAP attributes and by getstrs.
+realm.run([kadminl, 'delstr', 'authind', 'require_auth'])
+out = ldap_search('(krbPrincipalName=authind*)')
+if 'krbPrincipalAuthInd' in out:
+ fail('krbPrincipalAuthInd attribute still present after delstr')
+out = realm.run([kadminl, 'getstrs', 'authind'])
+if 'require_auth' in out:
+ fail('require_auth string attribute still visible after delstr')
+
mark('LDAP service principal aliases')
# Test service principal aliases.
projects / thirdparty / krb5.git / commitdiff
