On Fri, Sep 25, 2009 at 09:40:49AM -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/25/2009 09:09 AM, Sumit Bose wrote: > > Hi, > > > > this patch to the sssd-krb5 man page should clarify how the krb5 > > provider will find the right UPN. > > > > This hopefully fixes #204. > > > > Please fell free to correct any grammar or spelling mistakes. > > > > bye, > > Sumit > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > sssd-devel mailing list > > sssd-devel@lists.fedorahosted.org > > https://fedorahosted.org/mailman/listinfo/sssd-devel > > Just a few minor nitpicks. > 1) Please rebase atop the current master. > > I'd rewrite the following paragraph: > The Kerberos 5 authentication backend does not contain an identity > provider. But some useful information can only be delivered by an > identity provider, e.g. the User's Principle Name (UPN). If the > identity provider knows the UPN, e.g. this is the case in Active > Directory or FreeIPA domains, it can be saved in > <command>sssd's</command> internal cache and used by the Kerberos 5 > authentication backend. Please refer to the man page of the used > identity provider to see how to configure this. > > as > > The Kerberos 5 authentication backend does not contain an identity > provider and must be paired with one in order to function properly (for > example, id_provider = ldap). Some information required by the Kerberos > 5 authentication backend must be provider by the identity provider, such > as the user's Kerberos Principal Name (UPN). The configuration of the > identity provider should have an entry to specify the UPN. Please refer > to the man page for the applicable identity provider for details on how > to configure this. > > > Under krb5try_simple_upn, please change "an User Principal Name" to "a > User Principal Name". I'd also recommend that the last sentence read: > "In this case, SSSD will construct a UPN using the format > <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>" >
After some discussion it became clear that it might be easier to drop the krb5try_simple_upn option at all and make the logic behind a default fallback if the UPN cannot be found in sysdb. This patch does exacly that. Stephen's comments are included in the updated man page. bye, Sumit
>From 0467eec9839acc9260d40b8e8b8497320def1b4d Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Fri, 25 Sep 2009 17:35:56 +0200 Subject: [PATCH] remove krb5_try_simple_upn option and make it a default fallback --- server/confdb/confdb.h | 1 - server/man/sssd-krb5.5.xml | 30 ++++++++++++++++-------------- server/providers/krb5/krb5_auth.c | 9 +-------- server/providers/krb5/krb5_auth.h | 1 - 4 files changed, 17 insertions(+), 24 deletions(-) diff --git a/server/confdb/confdb.h b/server/confdb/confdb.h index eef9a26..8f64be4 100644 --- a/server/confdb/confdb.h +++ b/server/confdb/confdb.h @@ -100,7 +100,6 @@ #define CONFDB_KRB5_REALM "krb5_realm" #define CONFDB_KRB5_CCACHEDIR "krb5_ccachedir" #define CONFDB_KRB5_CCNAME_TMPL "krb5_ccname_template" -#define CONFDB_KRB5_TRY_SIMPLE_UPN "krb5_try_simple_upn" #define CONFDB_KRB5_CHANGEPW_PRINC "krb5_changepw_principle" #define CONFDB_KRB5_AUTH_TIMEOUT "krb5_auth_timeout" diff --git a/server/man/sssd-krb5.5.xml b/server/man/sssd-krb5.5.xml index 4de8991..0a46779 100644 --- a/server/man/sssd-krb5.5.xml +++ b/server/man/sssd-krb5.5.xml @@ -32,6 +32,22 @@ <manvolnum>5</manvolnum> </citerefentry> manual page </para> + <para> + The Kerberos 5 authentication backend does not contain an identity + provider and must be paired with one in order to function properly (for + example, id_provider = ldap). Some information required by the Kerberos + 5 authentication backend must be provider by the identity provider, such + as the user's Kerberos Principal Name (UPN). The configuration of the + identity provider should have an entry to specify the UPN. Please refer + to the man page for the applicable identity provider for details on how + to configure this. + </para> + <para> + In the case where the UPN is not available in the identity backend + <command>sssd</command> will construct a UPN using the format + <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>. + </para> + </refsect1> <refsect1 id='file-format'> @@ -64,20 +80,6 @@ </varlistentry> <varlistentry> - <term>krb5_try_simple_upn (boolean)</term> - <listitem> - <para> - Set this option to 'true' - if an User Principle Name (UPN) cannot be found in sysdb - and you want to use an UPN like 'usern...@realm'. - </para> - <para> - Default: false - </para> - </listitem> - </varlistentry> - - <varlistentry> <term>krb5_changepw_principle (string)</term> <listitem> <para> diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index 05f21be..58f4edd 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -644,7 +644,7 @@ static void get_user_upn_done(void *pvt, int err, struct ldb_result *res) case 1: pd->upn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_UPN, NULL); - if (pd->upn == NULL && krb5_ctx->try_simple_upn) { + if (pd->upn == NULL) { /* NOTE: this is a hack, works only in some environments */ if (krb5_ctx->realm != NULL) { pd->upn = talloc_asprintf(be_req, "%...@%s", pd->user, @@ -865,7 +865,6 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, { struct krb5_ctx *ctx = NULL; char *value = NULL; - bool bool_value; int int_value; int ret; struct tevent_signal *sige; @@ -934,12 +933,6 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, } ctx->ccname_template = value; - ret = confdb_get_bool(bectx->cdb, ctx, bectx->conf_path, - CONFDB_KRB5_TRY_SIMPLE_UPN, false, - &bool_value); - if (ret != EOK) goto fail; - ctx->try_simple_upn = bool_value; - ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, CONFDB_KRB5_CHANGEPW_PRINC, "kadmin/changepw", diff --git a/server/providers/krb5/krb5_auth.h b/server/providers/krb5/krb5_auth.h index 9a7807e..e70f5d3 100644 --- a/server/providers/krb5/krb5_auth.h +++ b/server/providers/krb5/krb5_auth.h @@ -88,7 +88,6 @@ struct krb5_ctx { char *kdcip; char *realm; - bool try_simple_upn; char *changepw_principle; char *ccache_dir; char *ccname_template; -- 1.6.2.5
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel