From e43231456d8de954423582dbee439e330573d04b Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 8 Sep 2015 16:45:23 +0200 Subject: [PATCH] perform case-insensitive principal search when canonicalization is requested When canonicalization is requested, the krbprincipalname attribute is searched for case-insensitively. In the case that krbcanonicalname is not set, the matched alias is returned with the casing stored in backend, not the one input by client. Part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka Reviewed-By: Simo Sorce --- daemons/ipa-kdb/ipa_kdb_principals.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index d4adf27f2..348072402 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -31,7 +31,7 @@ "(objectclass=krbprincipal)" \ "(objectclass=ipakrbprincipal))" \ "(|(ipakrbprincipalalias=%s)" \ - "(krbprincipalname=%s)))" + "(krbprincipalname:caseIgnoreIA5Match:=%s)))" #define PRINC_SEARCH_FILTER "(&(|(objectclass=krbprincipalaux)" \ "(objectclass=krbprincipal))" \ @@ -959,6 +959,17 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext, NULL, NULL, &result) != 0) return KRB5_KDB_INTERNAL_ERROR; found = (result == 0); + if (found) { + /* replace the incoming principal with the value having + * the correct case. This ensures that valid name/alias + * is returned even if krbCanonicalName is not present + */ + free(*principal); + *principal = strdup(vals[i]->bv_val); + if (!(*principal)) { + return KRB5_KDB_INTERNAL_ERROR; + } + } } else { found = (strcmp(vals[i]->bv_val, (*principal)) == 0); }