Set lockdown attribute when creating LDAP KDB

In kdb5_ldap_util, set lockdown_keys on the special principals when creating an LDAP KDB, as we do in kdb5_util when creating a regular KDB. ticket: 8936 (new) tags: pullup target_version: 1.18-next target_version: 1.17-next
krb5 · Aug 18, 2020 · 6cdf7d8 · 6cdf7d8
1 parent 8f2f0a2
commit 6cdf7d8
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
@@ -1304,7 +1304,7 @@ kdb_ldap_create_principal(krb5_context context, krb5_principal princ,
                                                      now, &db_create_princ)))
         goto cleanup;
 
-    entry.attributes = pblock->flags;
+    entry.attributes = pblock->flags | KRB5_KDB_LOCKDOWN_KEYS;
     entry.max_life = pblock->max_life;
     entry.max_renewable_life = pblock->max_rlife;
     entry.expiration = pblock->expiration;