freeipa/daemons
Alexander Bokovoy 8b6d1ab854 ipa-kdb: support subordinate/superior UPN suffixes
[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
trusted domain information in Active Directory to conform certain rules.
One side-effect of those rules is that list of UPN suffixes reported
through the netr_DsRGetForestTrustInformation function is dynamically
filtered to deduplicate subordinate suffixes.

It means that if list of UPN suffixes contains the following top level
names (TLNs):

  fabrikam.com
  sub.fabrikam.com

then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
as the TLN, fully filtering 'sub.fabrikam.com'.

IPA KDB driver used exact comparison of the UPN suffixes so any
subordinate had to be specified exactly.

Modify logic so that if exact check does not succeed, we validate a
realm to test being a subordinate of the known UPN suffixes. The
subordinate check is done by making sure UPN suffix is at the end of the
test realm and is immediately preceded with a dot.

Because the function to check suffixes potentially called for every
Kerberos principal, precalculate and cache length for each UPN suffix at
the time we retrieve the list of them.

Fixes: https://pagure.io/freeipa/issue/8554

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2020-10-26 15:55:02 -04:00
..
dnssec ipa-dnskeysyncd: Raise loglevel to DEBUG 2020-08-31 09:42:31 +03:00
ipa-kdb ipa-kdb: support subordinate/superior UPN suffixes 2020-10-26 15:55:02 -04:00
ipa-otpd Easier to use ipa_gethostfqdn() 2020-10-26 17:11:19 +11:00
ipa-sam ipa_sam: do not modify static buffer holding fqdn 2020-10-26 17:11:19 +11:00
ipa-slapi-plugins Easier to use ipa_gethostfqdn() 2020-10-26 17:11:19 +11:00
ipa-version.h.in Build: move version handling from Makefile to configure 2016-11-09 13:08:32 +01:00
Makefile.am Build: properly integrate ipa-version.h.in into build system 2016-11-29 15:28:24 +01:00