IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipa-kdb: support getprincs request in kadmin.local

Browse Source 
kadmin.local getprincs command results in passing '*' as a principal to
KDB driver function that looks up the principals.

The whole filter looks like this

 (&(|
    (objectclass=krbprincipalaux)
    (objectclass=krbprincipal)
    (objectclass=ipakrbprincipal))
   (|(ipakrbprincipalalias=*)
     (krbprincipalname:caseIgnoreIA5Match:=*)))

There are two parts of the LDAP filter we use to look up principals, the
part with 'krbprincipalname' uses extensible filter syntax of RFC 4515
section 3:

      extensible     = ( attr [dnattrs]
                           [matchingrule] COLON EQUALS assertionvalue )
                       / ( [dnattrs]
                            matchingrule COLON EQUALS assertionvalue )

In case we've got a principal name as '*' we have to follow RFC 4515
section 3 and reencode it using <valueencoding> rule from RFC 4511
section 4.1.6 but only to the part of the filter that does use assertion
value.

Fixes: https://pagure.io/freeipa/issue/8490

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Alexander Bokovoy 2020-09-09 16:09:12 +03:00 committed by Rob Crittenden
parent f249c51bf4
commit d00106b34d
1 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
daemons/ipa-kdb/ipa_kdb_principals.c
View File

@ -966,6 +966,7 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
krb5_error_code kerr; krb5_error_code kerr;
char *src_filter = NULL, *esc_original_princ = NULL; char *src_filter = NULL, *esc_original_princ = NULL;
int ret; int ret;
int len = 0;
if (!ipactx->lcontext) { if (!ipactx->lcontext) {
ret = ipadb_get_connection(ipactx); ret = ipadb_get_connection(ipactx);
@ -983,6 +984,8 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
goto done; goto done;
} }
len = strlen(esc_original_princ);
/* Starting in DAL 8.0, aliases are always okay. */ /* Starting in DAL 8.0, aliases are always okay. */
#ifdef KRB5_KDB_FLAG_ALIAS_OK #ifdef KRB5_KDB_FLAG_ALIAS_OK
if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) { if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) {
@ -996,12 +999,24 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
} else } else
#endif #endif
{ {
/* In case we've got a principal name as '*' we have to
* follow RFC 4515 section 3 and reencode it using
* <valueencoding> rule from RFC 4511 section 4.1.6 but
* only to the part of the filter that does use assertion
* value. */
const char *asterisk = "%x2A";
char *assertion_value = esc_original_princ;
if ((len == 1) && (esc_original_princ[0] == '*')) {
assertion_value = asterisk;
}
if (filter == NULL) { if (filter == NULL) {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
esc_original_princ, esc_original_princ); esc_original_princ, assertion_value);
} else { } else {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA, ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
esc_original_princ, esc_original_princ, filter); esc_original_princ, assertion_value, filter);
} }
} }