[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: using kpasswd with ldap db (0.7.2)
- To: heimdal-discuss@sics.se
- Subject: Re: using kpasswd with ldap db (0.7.2)
- From: Andreas Hasenack <ahasenack@terra.com.br>
- Date: Wed, 14 Jun 2006 14:36:38 -0300
- In-Reply-To: <6f3edef40605310719y1940969k22f03238994b2e08@mail.gmail.com>
- References: <6f3edef40605191020n260b881fj84b9576144ec2091@mail.gmail.com> <m264jvy8vj.fsf@nutcracker-2.local> <6f3edef40605310719y1940969k22f03238994b2e08@mail.gmail.com>
- Sender: owner-heimdal-discuss@sics.se
- User-Agent: Mutt/1.5.11
On Wed, May 31, 2006 at 09:19:21AM -0500, Eric Ortego wrote:
> My guess is that in this section(i.e. ent->etypes) the LDAP_MOD_ADD
> should be LDAP_MOD_REPLACE.
> Seems logical that if the ldap entry is in fact a heimdal entry that
> it would already have the "krb5EncryptionType" set in the entry thus
> leading to my error when trying to add instead of replace. Ill also
> guess that the for loops twice and is why I get the error twice.
>
> for (i = 0; i < ent->etypes->len; i++) {
> if (is_samba_account &&
> ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
> {
> ;
> } else if (is_heimdal_entry) {
> ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD,
> "krb5EncryptionType",
> ent->etypes->val[i]);
> if (ret)
> goto out;
> }
> }
It's correct to add multiple krb5EncryptionType attributes, the schema allows
it. And yes, this is called twice:
(gdb) p *entry->etypes
$44 = {len = 2, val = 0x806fda8}
The issue is that both etypes have the same value:
(gdb) p entry->etypes->val[0]
$45 = 23
(gdb) p entry->etypes->val[1]
$46 = 23
(gdb)
This would yield (in ldif):
krb5EncryptionType: 23
krb5EncryptionType: 23
And this is what openldap dislikes. So, either this is wrong (two enctype
entries with the same value: this comes right from the hdb_entry struct that is
passed to the ldap backend) or the mod array should be changed to check for
this case (adding the same attribute with the same value twice).