diff options
| author | Bill MacAllister <whm@dropbox.com> | 2016-05-06 19:40:17 +0000 | 
|---|---|---|
| committer | Russ Allbery <eagle@eyrie.org> | 2018-05-27 17:33:31 -0700 | 
| commit | 0d931418e7a73118263f86b7894d28204d4abcc7 (patch) | |
| tree | 99b6e9e4ed80e80d261bb2a33fb62dcb23a9cb39 | |
| parent | f98ba772f9453f39b8b7c02f896dd3725d1c7d8b (diff) | |
Correction to AD handling of long service keytab IDs
The account name for a service keytab cannot exceed 20 characters.
The routine that was generating a unique id incorrectly attempted to
perform an LDAP query.  This change fixes that problem.
| -rw-r--r-- | perl/lib/Wallet/Kadmin/AD.pm | 34 | 
1 files changed, 19 insertions, 15 deletions
| diff --git a/perl/lib/Wallet/Kadmin/AD.pm b/perl/lib/Wallet/Kadmin/AD.pm index 2d93b32..791c6f2 100644 --- a/perl/lib/Wallet/Kadmin/AD.pm +++ b/perl/lib/Wallet/Kadmin/AD.pm @@ -36,12 +36,15 @@ my $LDAP;  # Send debugging output to syslog. -sub ad_debug { +sub ad_syslog {      my ($self, $l, $m) = @_;      if (!$self->{SYSLOG}) {          openlog('wallet-server', 'ndelay,nofatal', 'local3');          $self->{SYSLOG} = 1;      } +    if ($l !~ /debug|info|err|warning/xms) { +        $l = 'err'; +    }      syslog($l, $m);      return;  } @@ -145,7 +148,7 @@ sub ldap_get_dn {      my $dn;      if ($Wallet::Config::AD_DEBUG) { -        $self->ad_debug('debug', "base:$base filter:$filter scope:subtree\n"); +        $self->ad_syslog('debug', "base:$base filter:$filter scope:subtree\n");      }      $self->ldap_connect(); @@ -164,11 +167,11 @@ sub ldap_get_dn {          die "LDAP search error: $error\n";      }      if ($result->code) { -        msg("INFO base:$base filter:$filter scope:subtree\n"); +        $self->ad_syslog('info', "base:$base filter:$filter scope:subtree\n");          die $result->error;      }      if ($Wallet::Config::AD_DEBUG) { -        $self->ad_debug('debug', 'returned: ' . $result->count); +        $self->ad_syslog('debug', 'returned: ' . $result->count);      }      if ($result->count == 1) { @@ -176,9 +179,9 @@ sub ldap_get_dn {              $dn = $entry->dn;          }      } elsif ($result->count > 1) { -        msg('ERROR: too many AD entries for this keytab'); +        $self->ad_syslog('err', 'too many AD entries for this keytab');          for my $entry ($result->entries) { -            msg('INFO: dn found ' . $entry->dn . "\n"); +            $self->ad_syslog('info', 'dn found: ' . $entry->dn . "\n");          }          die("INFO: use show to examine the problem\n");      } @@ -218,7 +221,7 @@ sub msktutil {      my @cmd  = ($Wallet::Config::AD_MSKTUTIL);      push @cmd, @args;      if ($Wallet::Config::AD_DEBUG) { -        $self->ad_debug('debug', $self->ad_cmd_string(\@cmd)); +        $self->ad_syslog('debug', $self->ad_cmd_string(\@cmd));      }      my $in; @@ -241,6 +244,7 @@ sub msktutil {              $err_msg .= "ERROR: $err\n";              $err_msg .= 'Problem command: ' . join(' ', @cmd) . "\n";          } +        $self->ad_syslog('err', $err_msg);          die $err_msg;      } else {          if ($err) { @@ -248,7 +252,7 @@ sub msktutil {          }      }      if ($Wallet::Config::AD_DEBUG) { -        $self->ad_debug('debug', $out); +        $self->ad_syslog('debug', $out);      }      return $out;  } @@ -267,8 +271,7 @@ sub get_service_id {          $this_id =~ s/,.*//xms;          $this_id =~ s/.*?=//xms;      } else { -        my $this_cn = $this_princ; -        $this_cn =~ s{.*?/}{}xms; +        my ($this_type, $this_cn) = split '/', $this_princ, 2;          if ($Wallet::Config::AD_SERVICE_PREFIX) {              $this_cn = $Wallet::Config::AD_SERVICE_PREFIX . $this_cn;          } @@ -324,7 +327,7 @@ sub ad_create_update {              push @cmd, '--computer-name', $host;              push @cmd, '--hostname',      $this_id;          } else { -            my $service_id = $self->get_service_id($this_id); +            my $service_id = $self->get_service_id($principal);              push @cmd, '--base',         $Wallet::Config::AD_USER_RDN;              push @cmd, '--use-service-account';              push @cmd, '--service',      $principal; @@ -337,9 +340,9 @@ sub ad_create_update {          {              $self->ad_delete($principal);              my $m = "ERROR: problem creating keytab for $principal"; -            $self->ad_debug('error', $m); -            $self->ad_debug('error', -                            'Problem command:' . ad_cmd_string(\@cmd)); +            $self->ad_syslog('error', $m); +            $self->ad_syslog('error', +                             'Problem command:' . ad_cmd_string(\@cmd));              die "$m\n";          }      } else { @@ -383,7 +386,7 @@ sub create {      }      if ($self->exists($principal)) {          if ($Wallet::Config::AD_DEBUG) { -            $self->ad_debug('debug', "$principal exists"); +            $self->ad_syslog('debug', "$principal exists");          }          return 1;      } @@ -463,6 +466,7 @@ sub ad_delete {          my $m;          $m .= "ERROR: Problem deleting $dn\n";          $m .= $msgid->error; +        $self->ad_syslog('err', $m);          die $m;      }      return 1; | 
