[krbdev.mit.edu #8877] Issue setting require_auth attribute with ldap backend with release 1.17

Machin, Glenn D via RT rt-comment at KRBDEV-PROD-APP-1.mit.edu
Sat Feb 22 17:28:54 EST 2020

Sat Feb 22 17:28:54 2020: Request 8877 was acted upon.
 Transaction: Ticket created by GMachin at sandia.gov
       Queue: krb5
     Subject: Issue setting require_auth attribute with ldap backend with release 1.17
       Owner: Nobody
  Requestors: GMachin at sandia.gov
      Status: new
 Ticket <URL: https://mv-ezproxy-com.ezproxyberklee.flo.org/rt/Ticket/Display.html?id=8877 >

After setting an authentication indicator on a service. You cannot use delstr to remove it.

    kadmin.local:  setstr host/hostname.domain at realm require_auth LOA2
    Attribute set for principal " host/hostname.domain at realm "

    kadmin.local:  getstrs host/hostname.domain
    require_auth: LOA2

    kadmin.local:  delstr host/hostname.domain require_auth
    Attribute removed from principal "host/hostname.domain at realm".

    kadmin.local:   getstrs host/hostname.domain
    require_auth: LOA2

krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c nevers checks to see if krbPrincipalAuthInd exists, in the case where it’s not being set.

/* Parse the "require_auth" string for auth indicators, adding them to the

 * krbPrincipalAuthInd attribute. */

static krb5_error_code

update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry,

                         LDAPMod ***mods)


    int i = 0;

    krb5_error_code ret;

    char *auth_ind = NULL;

    char *strval[10] = { 0 };

    char *ai, *ai_save = NULL;

    int sv_num = sizeof(strval) / sizeof(*strval);

    ret = krb5_dbe_get_string(context, entry, KRB5_KDB_SK_REQUIRE_AUTH,


    if (ret || auth_ind == NULL)

        goto cleanup;

    ai = strtok_r(auth_ind, " ", &ai_save);

    while (ai != NULL && i < sv_num) {

        strval[i++] = ai;

        ai = strtok_r(NULL, " ", &ai_save);


    ret = krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd",

                                    LDAP_MOD_REPLACE, strval);


    krb5_dbe_free_string(context, auth_ind);

    return ret;


Change above to :

int attr_mask = 0;

                krb5_boolean has_AuthInd;

   if (ret || auth_ind == NULL)


        /* No krbPrincipalAuthInd to be set - lets check and see if current */

        /* settings in ldap has it set. If so then we need to delete it */

        ret = krb5_get_attributes_mask(context, entry, &attr_mask);

        if (ret == 0){

            /* If current ldap entry has krbPrincipalAuthInd set we need to delete it */

            has_AuthInd = ((attr_mask & KDB_AUTH_IND_ATTR ) != 0);

            if (has_AuthInd) {

                ret = krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd",


                                               NULL );



        goto cleanup;


More information about the krb5-bugs mailing list