mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 08:00:02 -06:00
0e6d9edd5d
For a well-known anonymous principal an Anonymous PKINIT method is used which ignores the password set in the principal entry. For these principals any defined user auth type is irrelevant, their use is defined in RFC 6112. This gets confusing when a default user auth type requires a particular authentication method. When AS request for Anonymous PKINIT is used, a TGT would contain no authentication indicator. It means we cannot apply any specific indicator policy and must skip the checks. Fixes: https://pagure.io/freeipa/issue/9165 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> |
||
---|---|---|
.. | ||
tests | ||
ipa_kdb_audit_as.c | ||
ipa_kdb_certauth.c | ||
ipa_kdb_common.c | ||
ipa_kdb_delegation.c | ||
ipa_kdb_kdcpolicy.c | ||
ipa_kdb_mkey.c | ||
ipa_kdb_mspac_private.h | ||
ipa_kdb_mspac_v6.c | ||
ipa_kdb_mspac_v9.c | ||
ipa_kdb_mspac.c | ||
ipa_kdb_passwords.c | ||
ipa_kdb_principals.c | ||
ipa_kdb_pwdpolicy.c | ||
ipa_kdb.c | ||
ipa_kdb.exports | ||
ipa_kdb.h | ||
ipa-print-pac.c | ||
Makefile.am | ||
README | ||
README.s4u2proxy.txt |
This is the ipa krb5kdc database backend. As the KDB interfaces heavily with krb5, we inherit its code style as well. However, note the following changes: - no modelines (and different file preamble) - return types don't require their own line - single-statement blocks may optionally be braced - /* and */ do not ever get their own line - C99 for-loops are permitted (and encouraged) - a restricted set of other C99 features are permitted In particular, variable-length arrays, flexible array members, compound literals, universal character names, and //-style comments are not permitted. Use of regular malloc/free is preferred over talloc for new code. By and large, existing code mostly conforms to these requirements. New code must conform to them.