oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

If backend implements ->hdb_check_constrained_delegation, use it for processing.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25303 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2009-07-03 04:26:39 +00:00
parent 45ef83f6fd
commit 90de65f2be
1 changed files with 23 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
kdc/krb5tgs.c
View File

@@ -492,6 +492,7 @@ check_tgs_flags(krb5_context context,
static krb5_error_code
check_constrained_delegation(krb5_context context,
krb5_kdc_configuration *config,
HDB *clientdb,
hdb_entry_ex *client,
krb5_const_principal server)
{
@@ -499,21 +500,28 @@ check_constrained_delegation(krb5_context context,
krb5_error_code ret;
int i;
ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
if (ret) {
krb5_clear_error_message(context);
return ret;
}
if (acl) {
for (i = 0; i < acl->len; i++) {
if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
return 0;
if (clientdb->hdb_check_constrained_delegation) {
ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server);
if (ret == 0)
return 0;
} else {
ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
if (ret) {
krb5_clear_error_message(context);
return ret;
}
if (acl) {
for (i = 0; i < acl->len; i++) {
if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
return 0;
}
}
ret = KRB5KDC_ERR_BADOPTION;
}
kdc_log(context, config, 0,
"Bad request for constrained delegation");
return KRB5KDC_ERR_BADOPTION;
return ret;
}
/*
@@ -1369,6 +1377,7 @@ tgs_build_reply(krb5_context context,
krb5_principal client_principal = NULL;
char *spn = NULL, *cpn = NULL;
hdb_entry_ex *server = NULL, *client = NULL;
HDB *clientdb;
krb5_realm ref_realm = NULL;
EncTicketPart *tgt = &ticket->ticket;
krb5_principals spp = NULL;
@@ -1531,7 +1540,7 @@ server_lookup:
}
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
NULL, &client);
&clientdb, &client);
if(ret) {
const char *krbtgt_realm;
@@ -1805,7 +1814,8 @@ server_lookup:
goto out;
}
ret = check_constrained_delegation(context, config, client, sp);
ret = check_constrained_delegation(context, config, clientdb,
client, sp);
if (ret) {
kdc_log(context, config, 0,
"constrained delegation from %s to %s not allowed",