[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using kpasswd with ldap db (0.7.2)

On Wed, May 31, 2006 at 09:19:21AM -0500, Eric Ortego wrote:
> My guess is that in this section(i.e. ent->etypes) the LDAP_MOD_ADD
> should be LDAP_MOD_REPLACE.
> Seems logical that if the ldap entry is in fact a heimdal entry that
> it would already have the "krb5EncryptionType" set in the entry thus
> leading to my error when trying to add instead of replace. Ill also
> guess that the for loops twice and is why I get the error twice.
>        for (i = 0; i < ent->etypes->len; i++) {
>            if (is_samba_account &&
>                ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
>            {
>                ;
>            } else if (is_heimdal_entry) {
>                ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD,
>                                          "krb5EncryptionType",
>                                          ent->etypes->val[i]);
>                if (ret)
>                    goto out;
>            }
>        }

It's correct to add multiple krb5EncryptionType attributes, the schema allows
it. And yes, this is called twice:

(gdb) p *entry->etypes
$44 = {len = 2, val = 0x806fda8}

The issue is that both etypes have the same value:
(gdb) p entry->etypes->val[0]
$45 = 23
(gdb) p entry->etypes->val[1]
$46 = 23

This would yield (in ldif):
krb5EncryptionType: 23
krb5EncryptionType: 23

And this is what openldap dislikes. So, either this is wrong (two enctype
entries with the same value: this comes right from the hdb_entry struct that is
passed to the ldap backend) or the mod array should be changed to check for
this case (adding the same attribute with the same value twice).