[Freeipa-devel] [PATCH] bynd-dyndb-ldap: Add separate keytab principal option

Adam Tkac atkac at redhat.com
Mon Jan 3 14:05:23 UTC 2011 

On Tue, Dec 21, 2010 at 08:36:17PM -0500, Simo Sorce wrote:
> 
> Attached find a patch in the proper git format.
> 
> Adam can you push it if you think it is ok ?

I added "#include <unistd.h>" into the ldap_helper.c to fix
following warning:

ldap_helper.c: In function 'new_ldap_instance':
ldap_helper.c:394:5: warning: implicit declaration of function 'gethostname'

Now patch looks fine for me, thank you. I've pushed it.

Regards, Adam

> From fa819bc901963bdb2ab5a1da2841f809598c28a3 Mon Sep 17 00:00:00 2001
> From: Zoran Pericic <zpericic at inet.hr>
> Date: Tue, 21 Dec 2010 20:12:10 -0500
> Subject: [PATCH] Use separate variables for sasl_user and krb5_principal
> 
> ---
>  src/ldap_helper.c |   31 +++++++++++++++++++++++++------
>  1 files changed, 25 insertions(+), 6 deletions(-)
> 
> diff --git a/src/ldap_helper.c b/src/ldap_helper.c
> index 5eed8afba7a275a6ebb3a28c707639516ba9af41..134a3e899bd413a8146dd19a68ab30fc26cec269 100644
> --- a/src/ldap_helper.c
> +++ b/src/ldap_helper.c
> @@ -128,6 +128,7 @@ struct ldap_instance {
>  	ldap_auth_t		auth_method;
>  	ld_string_t		*bind_dn;
>  	ld_string_t		*password;
> +	ld_string_t		*krb5_principal;
>  	ld_string_t		*sasl_mech;
>  	ld_string_t		*sasl_user;
>  	ld_string_t		*sasl_auth_name;
> @@ -293,6 +294,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name,
>  		{ "auth_method", default_string("none")		},
>  		{ "bind_dn",	 default_string("")		},
>  		{ "password",	 default_string("")		},
> +		{ "krb5_principal", default_string("")		},
>  		{ "sasl_mech",	 default_string("GSSAPI")	},
>  		{ "sasl_user",	 default_string("")		},
>  		{ "sasl_auth_name", default_string("")		},
> @@ -330,6 +332,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name,
>  	CHECK(str_new(mctx, &ldap_inst->base));
>  	CHECK(str_new(mctx, &ldap_inst->bind_dn));
>  	CHECK(str_new(mctx, &ldap_inst->password));
> +	CHECK(str_new(mctx, &ldap_inst->krb5_principal));
>  	CHECK(str_new(mctx, &ldap_inst->sasl_mech));
>  	CHECK(str_new(mctx, &ldap_inst->sasl_user));
>  	CHECK(str_new(mctx, &ldap_inst->sasl_auth_name));
> @@ -346,6 +349,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name,
>  	ldap_settings[i++].target = auth_method_str;
>  	ldap_settings[i++].target = ldap_inst->bind_dn;
>  	ldap_settings[i++].target = ldap_inst->password;
> +	ldap_settings[i++].target = ldap_inst->krb5_principal;
>  	ldap_settings[i++].target = ldap_inst->sasl_mech;
>  	ldap_settings[i++].target = ldap_inst->sasl_user;
>  	ldap_settings[i++].target = ldap_inst->sasl_auth_name;
> @@ -382,11 +386,25 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name,
>  	/* check we have the right data when SASL/GSSAPI is selected */
>  	if ((ldap_inst->auth_method == AUTH_SASL) &&
>  	     (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) {
> -		if ((ldap_inst->sasl_user == NULL) ||
> -		    (str_len(ldap_inst->sasl_user) == 0)) {
> -			log_error("Sasl mech GSSAPI defined but sasl_user is empty");
> -			result = ISC_R_FAILURE;
> -			goto cleanup;
> +		if ((ldap_inst->krb5_principal == NULL) ||
> +		    (str_len(ldap_inst->krb5_principal) == 0)) {
> +			if ((ldap_inst->sasl_user == NULL) ||
> +			    (str_len(ldap_inst->sasl_user) == 0)) {
> +				char hostname[255];
> +				if (gethostname(hostname, 255) != 0) {
> +					log_error("SASL mech GSSAPI defined but krb5_principal"
> +						"and sasl_user are empty. Could not get hostname");
> +					result = ISC_R_FAILURE;
> +					goto cleanup;
> +				} else {
> +					str_sprintf(ldap_inst->krb5_principal, "DNS/%s", hostname);
> +					log_debug(2, "SASL mech GSSAPI defined but krb5_principal"
> +						"and sasl_user are empty, using default %s",
> +						str_buf(ldap_inst->krb5_principal));
> +				}
> +			} else {
> +				str_copy(ldap_inst->krb5_principal, ldap_inst->sasl_user);
> +			}
>  		}
>  	}
>  
> @@ -447,6 +465,7 @@ destroy_ldap_instance(ldap_instance_t **ldap_instp)
>  	str_destroy(&ldap_inst->base);
>  	str_destroy(&ldap_inst->bind_dn);
>  	str_destroy(&ldap_inst->password);
> +	str_destroy(&ldap_inst->krb5_principal);
>  	str_destroy(&ldap_inst->sasl_mech);
>  	str_destroy(&ldap_inst->sasl_user);
>  	str_destroy(&ldap_inst->sasl_auth_name);
> @@ -1618,7 +1637,7 @@ ldap_reconnect(ldap_connection_t *ldap_conn)
>  			isc_result_t result;
>  			LOCK(&ldap_inst->kinit_lock);
>  			result = get_krb5_tgt(ldap_inst->mctx,
> -					      str_buf(ldap_inst->sasl_user),
> +					      str_buf(ldap_inst->krb5_principal),
>  					      str_buf(ldap_inst->krb5_keytab));
>  			UNLOCK(&ldap_inst->kinit_lock);
>  			if (result != ISC_R_SUCCESS)
> -- 
> 1.7.3.3
> 


-- 
Adam Tkac, Red Hat, Inc.

More information about the Freeipa-devel mailing list