IPA API: set krbcanonicalname instead of ipakrbprincipalalias on new entities

Hosts, services, and (stage)-users will now have krbcanonicalname attribute
set to the same value as krbprincipalname on creation. Moreover, new services
will not have ipakrbprincipalalias set anymore.

Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>

ipalib/util.py

@@ -901,3 +901,14 @@ def validate_bind_forwarder(ugettext, forwarder):
             return _('%(port)s is not a valid port' % dict(port=port))
 
     return None
+
+
+def set_krbcanonicalname(entry_attrs):
+    objectclasses = set(i.lower() for i in entry_attrs['objectclass'])
+
+    if 'krbprincipalaux' not in objectclasses:
+        return
+
+    if ('krbprincipalname' in entry_attrs
+            and 'krbcanonicalname' not in entry_attrs):
+        entry_attrs['krbcanonicalname'] = entry_attrs['krbprincipalname']

ipaserver/plugins/baseuser.py

@@ -39,6 +39,7 @@ from ipalib.util import (
     remove_sshpubkey_from_output_post,
     remove_sshpubkey_from_output_list_post,
     add_sshpubkey_to_attrs_pre,
+    set_krbcanonicalname
 )
 
 if six.PY3:
@@ -497,6 +498,7 @@ class baseuser_add(LDAPCreate):
     def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
                             **options):
         assert isinstance(dn, DN)
+        set_krbcanonicalname(entry_attrs)
         self.obj.convert_usercertificate_pre(entry_attrs)
 
     def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):

ipaserver/plugins/host.py

@@ -50,6 +50,7 @@ from ipalib.util import (normalize_sshpubkey, validate_sshpubkey_no_options,
     remove_sshpubkey_from_output_list_post,
     normalize_hostname,
     hostname_validator,
+    set_krbcanonicalname
 )
 from ipapython.ipautil import ipa_generate_password, CheckedIPAddress
 from ipapython.dnsutil import DNSName
@@ -632,6 +633,7 @@ class host_add(LDAPCreate):
                 entry_attrs['objectclass'].append('krbprincipalaux')
             if 'krbprincipal' not in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].append('krbprincipal')
+            set_krbcanonicalname(entry_attrs)
         else:
             if 'krbprincipalaux' in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].remove('krbprincipalaux')

ipaserver/plugins/service.py

@@ -576,14 +576,8 @@ class service_add(LDAPCreate):
         if not 'managedby' in entry_attrs:
             entry_attrs['managedby'] = hostresult['dn']
 
-        # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches
-        # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
-        # schema
-        entry_attrs['ipakrbprincipalalias'] = keys[-1]
-
-        # Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in
-        # in a list of default objectclasses, add it manually
-        entry_attrs['objectclass'].append('ipakrbprincipal')
+        # set krbcanonicalname attribute to enable principal canonicalization
+        util.set_krbcanonicalname(entry_attrs)
 
         update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
 

ipaserver/plugins/stageuser.py

@@ -44,6 +44,7 @@ from .baseuser import (
     baseuser_add_manager,
     baseuser_remove_manager)
 from ipalib.request import context
+from ipalib.util import set_krbcanonicalname
 from ipalib import _, ngettext
 from ipalib import output
 from ipaplatform.paths import paths
@@ -532,6 +533,8 @@ class stageuser_activate(LDAPQuery):
         if 'krbprincipalname' not in entry_from:
             entry_to['krbprincipalname'] = '%s@%s' % (entry_from['uid'][0], api.env.realm)
 
+        set_krbcanonicalname(entry_to)
+
     def __dict_new_entry(self, *args, **options):
         ldap = self.obj.backend