Add krbticketPolicyAux objectclass if needed

When modifying ticket flags add the objectclass to the object if it is missing. https://fedorahosted.org/freeipa/ticket/3901
2024-12-22 15:13:50 -06:00 · 2013-11-26 15:41:31 +00:00 · 2013-11-26 15:41:31 +00:00 · a1165ffbb8
commit a1165ffbb8
parent ba0da01c1d
2 changed files with 35 additions and 0 deletions
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@ -117,6 +117,7 @@ struct ipadb_e_data {
    struct ipapwd_policy *pol;
    time_t last_admin_unlock;
    char **authz_data;
+    bool has_tktpolaux;
 };

 struct ipadb_context *ipadb_get_context(krb5_context kcontext);
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@ -468,6 +468,17 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
        ied->ipa_user = true;
    }

+    /* check if it has the krbTicketPolicyAux objectclass */
+    ret = ipadb_ldap_attr_has_value(lcontext, lentry,
+                                    "objectClass", "krbTicketPolicyAux");
+    if (ret != 0 && ret != ENOENT) {
+        kerr = ret;
+        goto done;
+    }
+    if (ret == 0) {
+        ied->has_tktpolaux = true;
+    }
+
    ret = ipadb_ldap_attr_to_str(lcontext, lentry,
                                 "krbPwdPolicyReference", &restring);
    switch (ret) {
@ -1411,6 +1422,29 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,

    /* KADM5_ATTRIBUTES */
    if (entry->mask & KMASK_ATTRIBUTES) {
+        /* if the object does not have the krbTicketPolicyAux class
+         * we need to add it or this will fail, only for modifications.
+         * We always add this objectclass by default when doing an add
+         * from scratch. */
+        if ((mod_op == LDAP_MOD_REPLACE) && entry->e_data) {
+            struct ipadb_e_data *ied;
+
+            ied = (struct ipadb_e_data *)entry->e_data;
+            if (ied->magic != IPA_E_DATA_MAGIC) {
+                kerr = EINVAL;
+                goto done;
+            }
+
+            if (!ied->has_tktpolaux) {
+                kerr = ipadb_get_ldap_mod_str(imods, "objectclass",
+                                              "krbTicketPolicyAux",
+                                              LDAP_MOD_ADD);
+                if (kerr) {
+                    goto done;
+                }
+            }
+        }
+
        kerr = ipadb_get_ldap_mod_int(imods,
                                      "krbTicketFlags",
                                      (int)entry->attributes,