Red Hat Bugzilla – Bug 1108225
ipadb.so could get tripped up by DAL changes to support keyless principals
Last modified: 2015-03-05 05:11:53 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/3779 Upcoming changes to upstream krb5 may result in modification requests that get passed into the IPA kdb plugin including a zero-length list of keys, which may or may not be NULL. We need to make sure that the plugin isn't going to be tripped up by any of this, and that it correctly interprets this as a request from the caller to remove all of the keys from the principal entry (which in LDAP, I assume means removing the attribute value completely).
This request is already fixed in upstream FreeIPA project. Please refer to the linked ticket for additional details and related commits.
Please add steps to verify
This patch is about future proofing so that FreeIPA KDC backend is ready for keyless principals. AFAIU, there is no practical reproduction yet (CCing Nathaniel in case I am wrong). I would thus propose to simply test as SanityOnly.
Please see Comment 3 for reproduction/how to test information.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html