On Tue, Nov 01, 2011 at 03:44:04PM +0100, Jan Zelený wrote:
> On Thu, Oct 20, 2011 at 10:48:08AM +0200, Jan Zelený wrote:
> >
https://fedorahosted.org/sssd/ticket/957
> >
> > Jan
>
> Nack:
>
> Please fix the unittests.
>
> The new option needs to be added to the sss-krb5 man page.
>
> I think it would make sense to rebase this patch on top of "[PATCH] Add
> krb5_fast_principal to SSSDConfig API".
>
> If you're staying with the env variable and not doing the command line
> options as Sumit suggested, then it's easier and less error prone to just
> check if the env variable is set to anything:
>
> tmp_str = getenv(SSSD_KRB5_CANONICALIZE);
> if (tmp_str) {
> set_canonicalize();
> }
>
> Maybe it would be nicer to wrap the above in a function to avoid
> duplication.
>
> Does it make sense to pass the option to the LDAP child as well?
>
> I'm not sure if we still plan to support old Kerberos libraries,
> such as RHEL5 with SSSD 1.7.0+ but if we do, you also need to create
> a wrapper around krb5_get_init_creds_opt_set_canonicalize(). See
> sss_krb5_get_init_creds_opt_set_expire_callback() for an example.
I'm sending corrected set of patches. Some errors were fixed in the first one
and the second one covers support of canonicalization in LDAP/IPA provider for
connections created in ldap_child.
Jan
As discussed on IRC, please also detect if
krb5_get_init_creds_opt_set_canonicalize() is available during configure
and create a wrapper that just returns EOK if not available.