Disable principal renames for LDAP

The current principal rename procedure does not work with the LDAP KDB
module, instead having the effect of deleting the principal.  The fix
is not easy and requires amending the DAL (see issue #8065).  For now,
detect LDAP and error out when a rename operation is attempted.

(cherry picked from commit 8483243664a289fea142d8a9de61eba30d713871)

ticket: 8162
version_fixed: 1.13.2
status: resolved

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index d4e74cc267f441c52f99377a98ae852e4b2df14b..27f8eba2d908e4f76f9a1392e11e0dffd8592026 100644 (file)
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -782,6 +782,7 @@ kadm5_rename_principal(void *server_handle,
     kadm5_server_handle_t handle = server_handle;
     krb5_int16 stype, i;
     krb5_data *salt = NULL;
+    krb5_tl_data tl;
 
     CHECK_HANDLE(server_handle);
 
@@ -798,6 +799,18 @@ kadm5_rename_principal(void *server_handle,
     if ((ret = kdb_get_entry(handle, source, &kdb, &adb)))
         return ret;
 
+    /*
+     * This rename procedure does not work with the LDAP KDB module (see issue
+     * #8065).  As a stopgap, look for tl-data indicating LDAP and error out.
+     * 0x7FFE is KDB_TL_USER_INFO as defined in kdb_ldap.h.
+     */
+    tl.tl_data_type = 0x7FFE;
+    if (krb5_dbe_lookup_tl_data(handle->context, kdb, &tl) == 0 &&
+        tl.tl_data_length > 0) {
+        ret = KRB5_PLUGIN_OP_NOTSUPP;
+        goto done;
+    }
+
     /* Transform salts as necessary. */
     for (i = 0; i < kdb->n_key_data; i++) {
         ret = krb5_dbe_compute_salt(handle->context, &kdb->key_data[i],