On Sun, Aug 23, 2009 at 05:40:16PM -0400, Simo Sorce wrote:
On Fri, 2009-08-21 at 12:17 +0200, Sumit Bose wrote:
> this is the last patch in the series to add the basic support for AD as
> a server. With this patch the kerberos backend will use the user
> principal name provided by the server to get the TGT. To make the client
> side kerberos libraries happy the realm part is always made upper case.
Unfortunately this patch has already been acked an committed, but I do
not agree with the way it has been implemented.
The upper case hack is an AD specific hack, and should *not* be
implemented in the kerberos backend.
Rather it should be implemented as an hack in the ldap driver.
ok, you are right, the current version would force the restriction of
upper case only realm names, which might not always be what we want.
Note that Windows servers are fine with the lower case because they do
some quite aggressive canonicalization at the server side.
Moreover the UPN can easily be != username+@+upper(REALM), so the hack
should be activate only through an option, so that it can be disabled if
kerberos libraries become able to cope with the UPN as provided via LDAP
ok, I'll provide a patch for both after 0.5.0 is released.