From: | "Machin, Glenn D" <GMachin@sandia.gov> |
To: | "krb5-bugs@mit.edu" <krb5-bugs@mit.edu> |
Subject: | Issue setting require_auth attribute with ldap backend with release 1.17 |
Date: | Sat, 22 Feb 2020 22:28:28 +0000 |
After setting an authentication indicator on a service. You cannot use delstr to remove it.
kadmin.local: setstr host/hostname.domain@realm require_auth LOA2
Attribute set for principal " host/hostname.domain@realm "
kadmin.local: getstrs host/hostname.domain
require_auth: LOA2
kadmin.local: delstr host/hostname.domain require_auth
Attribute removed from principal "host/hostname.domain@realm".
kadmin.local: getstrs host/hostname.domain
require_auth: LOA2
krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c nevers checks to see if krbPrincipalAuthInd exists, in the case where it’s not being set.
/* Parse the "require_auth" string for auth indicators, adding them to the
* krbPrincipalAuthInd attribute. */
static krb5_error_code
update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry,
LDAPMod ***mods)
{
int i = 0;
krb5_error_code ret;
char *auth_ind = NULL;
char *strval[10] = { 0 };
char *ai, *ai_save = NULL;
int sv_num = sizeof(strval) / sizeof(*strval);
ret = krb5_dbe_get_string(context, entry, KRB5_KDB_SK_REQUIRE_AUTH,
&auth_ind);
if (ret || auth_ind == NULL)
goto cleanup;
ai = strtok_r(auth_ind, " ", &ai_save);
while (ai != NULL && i < sv_num) {
strval[i++] = ai;
ai = strtok_r(NULL, " ", &ai_save);
}
ret = krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd",
LDAP_MOD_REPLACE, strval);
cleanup:
krb5_dbe_free_string(context, auth_ind);
return ret;
}
Change above to :
int attr_mask = 0;
krb5_boolean has_AuthInd;
if (ret || auth_ind == NULL)
{
/* No krbPrincipalAuthInd to be set - lets check and see if current */
/* settings in ldap has it set. If so then we need to delete it */
ret = krb5_get_attributes_mask(context, entry, &attr_mask);
if (ret == 0){
/* If current ldap entry has krbPrincipalAuthInd set we need to delete it */
has_AuthInd = ((attr_mask & KDB_AUTH_IND_ATTR ) != 0);
if (has_AuthInd) {
ret = krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd",
LDAP_MOD_DELETE,
NULL );
}
}
goto cleanup;
}