Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipa-kdb: search for password policies globally #345

Closed
wants to merge 1 commit into from
Closed

ipa-kdb: search for password policies globally #345

wants to merge 1 commit into from

Conversation

abbra
Copy link
Contributor

@abbra abbra commented Dec 15, 2016

With the CoS templates now used to create additional password policies
per object type that are placed under the object subtrees, DAL driver
needs to search for the policies in the whole tree.

Individual policies referenced by the krbPwdPolicyReference attribute
are always searched by their full DN and with the base scope. However,
when KDC asks a DAL driver to return a password policy by name, we don't
have any specific base to search. The original code did search by the
realm subtree.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1404910

@abbra
ipa-kdb: search for password policies globally
cc61f06 
With the CoS templates now used to create additional password policies
per object type that are placed under the object subtrees, DAL driver
needs to search for the policies in the whole tree.

Individual policies referenced by the krbPwdPolicyReference attribute
are always searched by their full DN and with the base scope. However,
when KDC asks a DAL driver to return a password policy by name, we don't
have any specific base to search. The original code did search by the
realm subtree.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1404910
@martbab martbab added the ack Pull Request approved, can be merged label Dec 15, 2016
@martbab
Copy link
Contributor

martbab commented Dec 15, 2016

I have taken the liberty to fix the commit message to reference https://fedorahosted.org/freeipa/ticket/6561 instead to BZ and pushed it to:

ipa-4-3:
https://fedorahosted.org/freeipa/changeset/b9b919e127c453eda02ea142d7cd80c16aa5ca31
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/84f6df6349b5c412467746777e905d9e4f8792ca
master:
https://fedorahosted.org/freeipa/changeset/73f33569c8893610e246b2f44a7aeaec872b37e6

@martbab martbab closed this Dec 15, 2016
@martbab martbab added the pushed Pull Request has already been pushed label Dec 15, 2016
@simo5
Copy link
Contributor

simo5 commented Dec 16, 2016

I know this is already closed but NACK.
The problem here is in searching "base"
this means ending up serhing also in things like slapi-nis.
We need to change the code to search in cn=REALM, and, if that fails, search again in cn=accounts.

I do not know if we should revert or just patch on top.

@abbra
Copy link
Contributor Author

abbra commented Dec 16, 2016

NACK to @simo5 concerns. We are not affected by slapi-nis on searches from KDC.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
3 participants
@abbra @martbab @simo5