ldap: make sure realm is set

In general the canonical principal will be only set in the cache after a successful authentication because in general it is not know what the canonical principal might be. For Active Directory it is known that the canonical principal is build with the sAMAccountName attribute and the Kerberos realm which is used in the patch "AD: Construct UPN from the sAMAccountName" (7a27e53). If 'id_provider = ldap' is used to access Active Directory the realm might not be set in the internal domain data and as a result a wrong principal might be created. This patch makes sure the realm is set before creating the canonical principal.
SSSD · Nov 18, 2024 · 1944936 · 1944936
1 parent fb91349
commit 1944936
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
@@ -204,7 +204,7 @@ int sdap_save_user(TALLOC_CTX *memctx,
     size_t c;
     char *p1;
     char *p2;
-    char *new_upn;
+    char *new_upn = NULL;
     bool is_posix = true;
 
     DEBUG(SSSDBG_TRACE_FUNC, "Save user\n");
@@ -278,8 +278,10 @@ int sdap_save_user(TALLOC_CTX *memctx,
                                    &samaccountname);
         if (ret == EOK) {
             ret = ENOENT;
-            new_upn = talloc_asprintf(memctx, "%s@%s", samaccountname,
-                                      dom->realm);
+            if (dom->realm != NULL) {
+                new_upn = talloc_asprintf(memctx, "%s@%s", samaccountname,
+                                          dom->realm);
+            }
             if (new_upn != NULL){
                 ret = sysdb_attrs_add_string(user_attrs,
                                              SYSDB_CANONICAL_UPN, new_upn);