[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using kpasswd with ldap db (0.7.2)



On Wed, May 31, 2006 at 09:19:21AM -0500, Eric Ortego wrote:
> On 5/24/06, Love Hörnquist Åstrand <lha@kth.se> wrote:
> >I think its a bug somewhere where the krb5EncryptionType is set, but I
> >can't figure out what it is. If you have time to debug the code its in
> >lib/hdb/hdb-ldap.c:LDAP_entry2mods() where the krb5EncryptionType is set.
> 
> I am not very proficient in C but my curiosity leads me to take a stab at 
> it.
> 
> >if you can't find the error, you can just comment out the while "if
> >(ent->etypes) { " section in that file.
> 
> My guess is that in this section(i.e. ent->etypes) the LDAP_MOD_ADD
> should be LDAP_MOD_REPLACE.
> Seems logical that if the ldap entry is in fact a heimdal entry that
> it would already have the "krb5EncryptionType" set in the entry thus
> leading to my error when trying to add instead of replace. Ill also
> guess that the for loops twice and is why I get the error twice.
> 
>        for (i = 0; i < ent->etypes->len; i++) {
>            if (is_samba_account &&
>                ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
>            {
>                ;
>            } else if (is_heimdal_entry) {
>                ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD,
>                                          "krb5EncryptionType",
>                                          ent->etypes->val[i]);
>                if (ret)
>                    goto out;
>            }
>        }
> 
> I would test my guesses but I do not have a test environment and since
> I have a work around for changing passwords atm I will stick with that
> until someone more proficient than I takes a look into it.
> Cheers,
> Eric

But it seems krb5EncryptionType is deleted a bit above in this code. Or should be:

    if (ent->etypes) {
        /* clobber and replace encryption types. */
        if (!is_new_entry) {
            values = ldap_get_values(HDB2LDAP(db), msg, "krb5EncryptionType");
            if (values) {
                ldap_value_free(values);
                ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType",
                                  NULL);
                if (ret)
                    goto out;
            }
        }
        for (i = 0; i < ent->etypes->len; i++) {
(...)