oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

If backend implements ->hdb_check_constrained_delegation, use it for processing.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25303 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2009-07-03 04:26:39 +00:00
parent 45ef83f6fd
commit 90de65f2be
1 changed files with 23 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
kdc/krb5tgs.c
View File

@@ -492,6 +492,7 @@ check_tgs_flags(krb5_context context,
static krb5_error_code static krb5_error_code
check_constrained_delegation(krb5_context context, check_constrained_delegation(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
HDB *clientdb,
hdb_entry_ex *client, hdb_entry_ex *client,
krb5_const_principal server) krb5_const_principal server)
{ {
@@ -499,21 +500,28 @@ check_constrained_delegation(krb5_context context,
krb5_error_code ret; krb5_error_code ret;
int i; int i;
ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl); if (clientdb->hdb_check_constrained_delegation) {
if (ret) { ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server);
krb5_clear_error_message(context); if (ret == 0)
return ret; return 0;
} } else {
ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
if (acl) { if (ret) {
for (i = 0; i < acl->len; i++) { krb5_clear_error_message(context);
if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE) return ret;
return 0;
} }
if (acl) {
for (i = 0; i < acl->len; i++) {
if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
return 0;
}
}
ret = KRB5KDC_ERR_BADOPTION;
} }
kdc_log(context, config, 0, kdc_log(context, config, 0,
"Bad request for constrained delegation"); "Bad request for constrained delegation");
return KRB5KDC_ERR_BADOPTION; return ret;
} }
/* /*
@@ -1369,6 +1377,7 @@ tgs_build_reply(krb5_context context,
krb5_principal client_principal = NULL; krb5_principal client_principal = NULL;
char *spn = NULL, *cpn = NULL; char *spn = NULL, *cpn = NULL;
hdb_entry_ex *server = NULL, *client = NULL; hdb_entry_ex *server = NULL, *client = NULL;
HDB *clientdb;
krb5_realm ref_realm = NULL; krb5_realm ref_realm = NULL;
EncTicketPart *tgt = &ticket->ticket; EncTicketPart *tgt = &ticket->ticket;
krb5_principals spp = NULL; krb5_principals spp = NULL;
@@ -1531,7 +1540,7 @@ server_lookup:
} }
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON, ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
NULL, &client); &clientdb, &client);
if(ret) { if(ret) {
const char *krbtgt_realm; const char *krbtgt_realm;
@@ -1805,7 +1814,8 @@ server_lookup:
goto out; goto out;
} }
ret = check_constrained_delegation(context, config, client, sp); ret = check_constrained_delegation(context, config, clientdb,
client, sp);
if (ret) { if (ret) {
kdc_log(context, config, 0, kdc_log(context, config, 0,
"constrained delegation from %s to %s not allowed", "constrained delegation from %s to %s not allowed",