ipa-kdb: do not fail if certmap rule cannot be added

Currently if a certificate mapping and matching rule has a typo or is of an unsupported type the whole rule processing is aborted and the IPA certmap plugin works without any rules effectively disabling PKINIT for users. Since each rule would only allow more certificates for PKINIT it would be more user/admin friendly to just ignore the failed rules with a log message and continue with what is left or use the default rule if nothing is left. This change is done to add more flexibility to define new mapping and matching templates which are e.g. needed to cover changes planned by Microsoft as explained in https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2022-09-06 13:46:16 +02:00
parent d4fa80b224
commit 0ce3ab36b4
1 changed files with 28 additions and 8 deletions
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
@@ -120,6 +120,7 @@ static krb5_error_code ipa_get_init_data(krb5_context kcontext,
    char *map_rule = NULL;
    char *match_rule = NULL;
    char **domains = NULL;
+    bool rule_added = false;

    const char *certmap_attrs[] = { OBJECTCLASS,
                                    IPA_CERTMAP_PRIORITY,
@@ -171,13 +172,7 @@ static krb5_error_code ipa_get_init_data(krb5_context kcontext,
        return ret;
    }

-    if (kerr == KRB5_KDB_NOENTRY) {
-        ret = sss_certmap_add_rule(ctx, SSS_CERTMAP_MIN_PRIO,
-                                   NULL, NULL, NULL);
-        if (ret != 0) {
-            goto done;
-        }
-    } else {
+    if (kerr != KRB5_KDB_NOENTRY) {
        lc = ipactx->lcontext;

        for (le = ldap_first_entry(lc, result); le;
@@ -221,8 +216,33 @@ static krb5_error_code ipa_get_init_data(krb5_context kcontext,
            ret = sss_certmap_add_rule(ctx, prio, match_rule, map_rule,
                                       (const char **) domains);
            if (ret != 0) {
-                goto done;
+                krb5_klog_syslog(LOG_ERR,
+                                 "Failed to add certificate mapping [%s] and "
+                                 "matching [%s] rule with error [%d][%s], "
+                                 "skipping. Please check for typos and if rule "
+                                 "syntax is supported.", map_rule, match_rule,
+                                 ret, strerror(ret));
+                continue;
            }
+
+            rule_added = true;
+        }
+    }
+
+    if (!rule_added) {
+        if (kerr == KRB5_KDB_NOENTRY) {
+            krb5_klog_syslog(LOG_INFO,
+                             "No certificate mapping and matching rule "
+                             "defined, trying to use the default rule.");
+        } else {
+            krb5_klog_syslog(LOG_INFO,
+                             "No valid certificate mapping and matching rule "
+                             "found, trying to use the default rule.");
+        }
+        ret = sss_certmap_add_rule(ctx, SSS_CERTMAP_MIN_PRIO,
+                                   NULL, NULL, NULL);
+        if (ret != 0) {
+            goto done;
        }
    }