> On Tue, 2011-11-01 at 16:03 +0100, Jakub Hrozek wrote:
> > On Tue, Nov 01, 2011 at 03:44:04PM +0100, Jan Zelený wrote:
> > > > On Thu, Oct 20, 2011 at 10:48:08AM +0200, Jan Zelený wrote:
> > > > >
https://fedorahosted.org/sssd/ticket/957
> > > > >
> > > > > Jan
> > > >
> > > > Nack:
> > > >
> > > > Please fix the unittests.
> > > >
> > > > The new option needs to be added to the sss-krb5 man page.
> > > >
> > > > I think it would make sense to rebase this patch on top of
"[PATCH]
> > > > Add krb5_fast_principal to SSSDConfig API".
> > > >
> > > > If you're staying with the env variable and not doing the
command
> > > > line options as Sumit suggested, then it's easier and less error
> > > > prone to just
> > > >
> > > > check if the env variable is set to anything:
> > > > tmp_str = getenv(SSSD_KRB5_CANONICALIZE);
> > > > if (tmp_str) {
> > > >
> > > > set_canonicalize();
> > > >
> > > > }
> > > >
> > > > Maybe it would be nicer to wrap the above in a function to avoid
> > > > duplication.
> > > >
> > > > Does it make sense to pass the option to the LDAP child as well?
> > > >
> > > > I'm not sure if we still plan to support old Kerberos libraries,
> > > > such as RHEL5 with SSSD 1.7.0+ but if we do, you also need to create
> > > > a wrapper around krb5_get_init_creds_opt_set_canonicalize(). See
> > > > sss_krb5_get_init_creds_opt_set_expire_callback() for an example.
> > >
> > > I'm sending corrected set of patches. Some errors were fixed in the
> > > first one and the second one covers support of canonicalization in
> > > LDAP/IPA provider for connections created in ldap_child.
> > >
> > > Jan
> >
> > As discussed on IRC, please also detect if
> > krb5_get_init_creds_opt_set_canonicalize() is available during configure
> > and create a wrapper that just returns EOK if not available.
>
> Please also note in the manpages that this feature is only supported on
> Kerberos 1.? and later (I don't know offhand when it was introduced,
> probably 1.7).
All done, patches attached.
Jan
Ack to patch #1.
Patch #2 needs to canonicalize in other cases than FAST as well.
Patch #3 needs to change dp_opt_get_string() for dp_opt_get_bool()
otherwise the option is not read.