ldap: make sure realm is set

In general the canonical principal will be only set in the cache after a successful authentication because in general it is not know what the canonical principal might be. For Active Directory it is known that the canonical principal is build with the sAMAccountName attribute and the Kerberos realm which is used in the patch "AD: Construct UPN from the sAMAccountName" (7a27e53). If 'id_provider = ldap' is used to access Active Directory the realm might not be set in the internal domain data and as a result a wrong principal might be created. This patch makes sure the realm is set before creating the canonical principal. Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Dan Lavu <[email protected]> Reviewed-by: Jakub Vávra <[email protected]>
SSSD · Dec 10, 2024 · 8c86abd · 8c86abd
1 parent 110c4ae
commit 8c86abd
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
@@ -204,7 +204,7 @@ int sdap_save_user(TALLOC_CTX *memctx,
     size_t c;
     char *p1;
     char *p2;
-    char *new_upn;
+    char *new_upn = NULL;
     bool is_posix = true;
 
     DEBUG(SSSDBG_TRACE_FUNC, "Save user\n");
@@ -278,8 +278,10 @@ int sdap_save_user(TALLOC_CTX *memctx,
                                    &samaccountname);
         if (ret == EOK) {
             ret = ENOENT;
-            new_upn = talloc_asprintf(memctx, "%s@%s", samaccountname,
-                                      dom->realm);
+            if (dom->realm != NULL) {
+                new_upn = talloc_asprintf(memctx, "%s@%s", samaccountname,
+                                          dom->realm);
+            }
             if (new_upn != NULL){
                 ret = sysdb_attrs_add_string(user_attrs,
                                              SYSDB_CANONICAL_UPN, new_upn);