Ticket History #8065: Renaming principals with LDAP KDB deletes the principal

# Tue Feb 03 14:12:49 2015 ghudson@mit.edu (Greg Hudson) - Ticket created

Subject:

Renaming principals with LDAP KDB deletes the principal

Download (untitled) / with headers
text/plain 771B

kadm5_rename_principal gets the source principal entry, fixes up the
salts in the key data, sets the new principal name, puts the modified
principal entry, and then deletes the source principal entry.

This works with BDB, but fails badly with LDAP for two reasons:

1. We don't set mask attributes to indicate that this is a new
principal.

2. When the LDAP back end loads the source principal entry, it
inserts a tl-data value of type KDB_TL_USERDN containing the DN.
When we put the principal entry, this tl-data value is extracted and
used as the DN to use. We don't want that to happen; we want the KDB
module to construct a new DN based on the new principal name.

The upshot is that we make a few modifications to the source
principal DN, then delete it.

# Tue Feb 03 14:31:51 2015 hartmans (Sam Hartman) - Correspondence added

From:	Sam Hartman <hartmans@mit.edu>
To:	rt@krbdev.mit.edu
Subject:	Re: [krbdev.mit.edu #8065] Renaming principals with LDAP KDB deletes the principal
Date:	Tue, 03 Feb 2015 14:31:49 -0500
RT-Send-Cc:

Download (untitled) / with headers
text/plain 963B

Show quoted text

>>>>> "Greg" == Greg Hudson via RT <rt-comment@krbdev.mit.edu> writes:

Show quoted text

Greg> 2. When the LDAP back end loads the source principal entry, it
Greg> inserts a tl-data value of type KDB_TL_USERDN containing the
Greg> DN. When we put the principal entry, this tl-data value is
Greg> extracted and used as the DN to use. We don't want that to
Greg> happen; we want the KDB module to construct a new DN based on
Greg> the new principal name.

I'm not sure that's true.
In my directory I have principals stored inside account objects. For
example I have uid=hartmans,ou=users,dc=painless-security,dc=com.
I really want the principal to stay there even if I rename it.
If I'm also renaming the account I'll do that with an ldap operation and
that will rename the object. Yes, the principal also needs to get
renamed, but I'd be really annoyed if renaming a principal moved a
principal contained in an account object out of that object.

--Sam

# Wed Feb 04 14:37:13 2015 ghudson@mit.edu (Greg Hudson) - Comments added

Download (untitled) / with headers
text/plain 1.3KiB

Fair point. If the source principal entry is a standalone principal
object, we want to change the DN, but if it's not, we ought to just
modify it in place. (Determining whether a principal entry is a
standalone principal object is easy; there's tl-data and a
libkdb_ldap function for that.)

Principal aliases also make this problem tricky, whether we are
creating a new DN or modifying an existing one.

If the source principal name is an alias, we could reasonably error
out (kadmin doesn't currently manage aliases). If not, we don't
really need to add a special salt to the key data, but we do want to
update the last-modified tl-data as well as the krbPrincipalName
attribute.

If the source principal name is the canonical name but the principal
entry has aliases, we want to make sure those aliases are preserved.
So the krbCanonicalName attribute should be changed as well as the
matching krbPrincipalName, and all other krbPrincipalNames should be
retained.

In general this seems hard to fix in a minimal way. We will almost
certainly need to add some form of DAL rename method. I don't think
we currently have a complete minor version story for the DAL,
although we could invent one without breaking anything. Given the
size of the required fix, it may be best to disable rename_principal
for the LDAP module in 1.13.x, and support it in 1.14.

# Tue Dec 08 14:09:43 2015 sarahday (Sarah Day) - Taken

# Mon May 23 16:25:52 2016 ghudson@mit.edu (Greg Hudson) - Status changed from 'open' to 'review'

# Mon May 23 16:25:52 2016 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1.4KiB

Add new DAL function for renaming principals

Previously libkadm5srv renamed principals by getting the principal
entry, renaming the entry, putting it in the DB, then deleting the old
one. This does not work in certain KDB modules such as LDAP. A new
DAL function is necessary to support all KDB modules. Add a new DAL
function to support custom renames in all KDB modules, with a default
implementation that performs the previous functionality of adding and
deleting the principal entry.

NOTE: if the default rename function isn't used and iprop logging is
enabled, iprop would fail since it doesn't formally support renaming.
In that case, the call to krb5_db_rename_principal() will fail with
the code KRB5_PLUGIN_OP_NOTSUPP.

https://github.com/krb5/krb5/commit/c38838be956ce72fcd7142f14bc374dc13dd8bb2
Author: Sarah Day <sarahday@mit.edu>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: c38838be956ce72fcd7142f14bc374dc13dd8bb2
Branch: master
src/include/kdb.h | 23 +++++++++-
src/lib/kadm5/srv/svr_principal.c | 86 ++++++------------------------------
src/lib/kdb/kdb5.c | 33 ++++++++++++++
src/lib/kdb/kdb_default.c | 39 +++++++++++++++++
src/lib/kdb/libkdb5.exports | 1 +
src/plugins/kdb/db2/db2_exp.c | 1 +
src/plugins/kdb/ldap/ldap_exp.c | 1 +
src/plugins/kdb/test/kdb_test.c | 1 +
src/tests/t_iprop.py | 25 ++++++++++-
9 files changed, 136 insertions(+), 74 deletions(-)

# Mon May 23 16:25:52 2016 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1KiB

Implement principal renaming in LDAP

The generic method of renaming principals (by adding a new entry and
deleting the old one) does not work in LDAP. Add an LDAP
implementation of rename that properly renames the DN and attributes
when necessary.

[ghudson@mit.edu: minor naming changes and code simplifications]

https://github.com/krb5/krb5/commit/2ac75e548afadde4f87f20fcc1ee1472cdac3fed
Author: Sarah Day <sarahday@mit.edu>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 2ac75e548afadde4f87f20fcc1ee1472cdac3fed
Branch: master
src/plugins/kdb/ldap/ldap_exp.c | 2 +-
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 52 +++++
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h | 8 +
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c | 216 ++++++++++++++++++++
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h | 7 +
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 2 +-
.../kdb/ldap/libkdb_ldap/libkdb_ldap.exports | 1 +
src/tests/t_kdb.py | 12 +
8 files changed, 298 insertions(+), 2 deletions(-)

# Mon May 30 14:35:39 2016 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 502B

Fix memory leak in LDAP rename

krb5_ldap_rename_principal() must free bersecretkey.

https://github.com/krb5/krb5/commit/80d1c7cee0e861166925de1fe157f11a9ef1c22f
Author: Greg Hudson <ghudson@mit.edu>
Commit: 80d1c7cee0e861166925de1fe157f11a9ef1c22f
Branch: master
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c | 1 +
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h | 3 +++
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 2 +-
3 files changed, 5 insertions(+), 1 deletions(-)

# Thu Oct 13 16:45:42 2016 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Thu Oct 13 16:45:42 2016 tlyu (Taylor Yu) - Version_Fixed 1.15 added