IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-15 19:01:55 -06:00
Code Issues Packages Projects Releases Wiki Activity
0317255b53
freeipa/daemons/ipa-kdb
History
Alexander Bokovoy 0317255b53 ipa-kdb: add UPN_DNS_INFO PAC structure 
UPN_DNS_INFO structure contains the client's user principal name (UPN)
and a fully qualified domain name. It is used to provide the UPN and the
FQDN that corresponds to the client of the ticket.

The structure is defined in MS-PAC section 2.10. MS-KILE specification
says in the section 3.3.5.6.4.5 that KDCs should return this buffer. It
further clarifies in section 3.3.5.2 that if the user account object has no
userPrincipalName attribute, UPN_DNS_INFO should be constructed by
concatenating user name, the "@" symbol, and the DNS name of the domain.

IPA users don't really have userPrincipalName attribute. Instead, we
always construct their account names in LOGON Info3 structure by
unparsing the canonical principal name without realm, meaning that user
principal can be recovered by concatenating the account name and the
realm (domain).

Unless the account name and unparsed client principal name are different
or the primary Info3 gid (group RID) is the one for machine accounts,
mark the UPN as constructed.

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
..
tests ipa-kdb: override krb5.conf when testing KDC code in cmocka 2017-11-29 15:55:00 +02:00
ipa_kdb_audit_as.c kdb: make sure audit_as_req callback signature change is preserved 2020-02-17 16:03:11 +02:00
ipa_kdb_certauth.c Handle the removal of KRB5_KDB_FLAG_ALIAS_OK 2020-01-31 14:36:31 +01:00
ipa_kdb_common.c ipa-kdb: reduce LDAP operations timeout to 30 seconds 2018-11-16 16:54:38 -05:00
ipa_kdb_delegation.c ipa-kdb: fix delegation acl check 2012-02-28 13:03:22 -05:00
ipa_kdb_kdcpolicy.c Handle the removal of KRB5_KDB_FLAG_ALIAS_OK 2020-01-31 14:36:31 +01:00
ipa_kdb_mkey.c ipa-kdb: Get/Store Master Key directly from LDAP 2011-08-26 08:24:49 -04:00
ipa_kdb_mspac_private.h adtrust: support UPNs for trusted domain users 2016-06-11 17:25:50 +02:00
ipa_kdb_mspac.c ipa-kdb: add UPN_DNS_INFO PAC structure 2020-05-27 17:57:39 +03:00
ipa_kdb_passwords.c CVE-2020-1722: prevent use of too long passwords 2020-04-14 12:36:01 +03:00
ipa_kdb_principals.c kdb: fix memory handling in ipadb_find_principal 2020-05-08 09:37:37 +03:00
ipa_kdb_pwdpolicy.c Fix ipadb_multires resource handling 2018-10-24 16:11:55 +02:00
ipa_kdb.c Fix legacy S4U2Proxy in DAL v8 support 2020-02-01 10:05:46 +02:00
ipa_kdb.exports Add a skeleton kdcpolicy plugin 2019-09-10 12:33:21 +03:00
ipa_kdb.h kdb: make sure audit_as_req callback signature change is preserved 2020-02-17 16:03:11 +02:00
Makefile.am Use /run and /run/lock instead of /var 2020-04-15 18:48:50 +02:00
README Make the coding style explicit 2020-01-15 10:00:08 +01:00
README.s4u2proxy.txt Fix s4u2proxy README and add warning 2015-06-08 14:37:29 -04:00

README 

This is the ipa krb5kdc database backend.

As the KDB interfaces heavily with krb5, we inherit its code style as well.
However, note the following changes:

- no modelines (and different file preamble)
- return types don't require their own line
- single-statement blocks may optionally be braced
- /* and */ do not ever get their own line
- C99 for-loops are permitted (and encouraged)
- a restricted set of other C99 features are permitted

In particular, variable-length arrays, flexible array members, compound
literals, universal character names, and //-style comments are not permitted.

Use of regular malloc/free is preferred over talloc for new code.

By and large, existing code mostly conforms to these requirements.  New code
must conform to them.