ipa-kdb: use canonical principal in certauth plugin

Currently the certauth plugin use the unmodified principal from the
request to lookup the user. This might fail if e.g. enterprise
principals are use. With this patch the canonical principal form the kdc
entry is used.

Resolves https://pagure.io/freeipa/issue/6993

Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Sumit Bose 2017-06-01 18:17:53 +02:00 committed by Martin Basti
parent 2485c3377a
commit 117d6e9be0

View File

@ -284,7 +284,7 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
}
}
ret = krb5_unparse_name(context, princ, &principal);
ret = krb5_unparse_name(context, db_entry->princ, &principal);
if (ret != 0) {
ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
goto done;