ipa-kdb: when applying ticket policy, do not deny PKINIT

PKINIT differs from other pre-authentication methods by the fact that it
can be matched indepedently of the user authentication types via certmap
plugin in KDC.

Since PKINIT is a strong authentication method, allow its authentication
indicator and only apply the ticket policy.

Fixes: https://pagure.io/freeipa/issue/9485

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
This commit is contained in:
Alexander Bokovoy 2023-11-24 11:54:04 +02:00 committed by Antonio Torres
parent 00f8ddbfd2
commit 69ae9febfb
No known key found for this signature in database
GPG Key ID: 359FAF777296F653

View File

@ -119,11 +119,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_RADIUS]);
} else if (strcmp(auth_indicator, "pkinit") == 0) {
valid_auth_indicators++;
if (!(ua & IPADB_USER_AUTH_PKINIT)) {
*status = "PKINIT pre-authentication not allowed for this user.";
kerr = KRB5KDC_ERR_POLICY;
goto done;
}
/* allow PKINIT unconditionally -- it has passed already at this
* point so some certificate was useful, only apply the limits */
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_PKINIT]);
} else if (strcmp(auth_indicator, "hardened") == 0) {
valid_auth_indicators++;