13 Mar
2009
13 Mar
'09
10:47 p.m.
On Tue, 2009-03-03 at 13:56 -0500, Bryan Jacobs wrote:
Changes it makes:
- When using krb5_kuserok, do not call gss_compare_name to check that authn_name and authz_name are the same. Instead, make TWO calls to krb5_kuserok, one for each ID. If both IDs are acceptable, allow the login.
Sounds good.
- Disable checking that the name is a GSS_KRB5_PRINCIPAL_NAME, as this doesn't appear to be always the case for the authz_name.
Is there any downside to this check? Can something bad happen if it's not a principal name? I left the check there now for authn_name.
Committed: http://hg.dovecot.org/dovecot-1.2/rev/ff6378d7b209
And then I noticed that the last equal_authn_authz check most likely shouldn't have been changed, so reversed it: