On 10/07/2013 09:53 PM, Nalin Dahyabhai wrote: > Comparing master's ipa-kdb's handling of krbPrincipalName and > krbCanonicalName attributes with that of the upstream kldap driver, > there are a few differences which I'm thinking are bugs. > > * If an entry has multiple krbPrincipalName values, the name which > was used to look it up is required to match only the last value of the > attribute that we read, not any of them. > > * If an entry has a krbCanonicalName value, and the name which we used > to look it up doesn't match it, if database aliases are allowed, we > return an error instead of using it to populate the returned entry. > > I'm attaching patches for both of these, though the second still doesn't > quite match the behavior of kldap.so, in that we don't preserve the > requested name if it differs from the canonical name only in case. I > don't know that it matters, but I'm mentioning here just in case. > > Cheers, > > Nalin
FYI, I filed upstream ticket to track this effort: https://fedorahosted.org/freeipa/ticket/3966 Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
