On 05/29/2014 06:30 PM, Nathaniel McCallum wrote:
On Mon, 2013-10-07 at 15:53 -0400, Nalin Dahyabhai wrote:
Comparing master's ipa-kdb's handling of krbPrincipalName and
krbCanonicalName attributes with that of the upstream kldap driver,
there are a few differences which I'm thinking are bugs.
* If an entry has multiple krbPrincipalName values, the name which
was used to look it up is required to match only the last value of the
attribute that we read, not any of them.
* If an entry has a krbCanonicalName value, and the name which we used
to look it up doesn't match it, if database aliases are allowed, we
return an error instead of using it to populate the returned entry.
I'm attaching patches for both of these, though the second still doesn't
quite match the behavior of kldap.so, in that we don't preserve the
requested name if it differs from the canonical name only in case. I
don't know that it matters, but I'm mentioning here just in case.
0001: ACK
0002: I don't think that matters. If it does, the fix is easy. ACK
Nathaniel
Added link to ticket and pushed to master:
16092c39073e6512e897dc671fd22b2b583ea5b5
--
PetrĀ³
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
