On Tue, 2009-03-03 at 13:56 -0500, Bryan Jacobs wrote: > Changes it makes: > 1. When using krb5_kuserok, do not call gss_compare_name to check that > authn_name and authz_name are the same. Instead, make TWO calls to > krb5_kuserok, one for each ID. If both IDs are acceptable, allow the > login.
Sounds good. > 2. Disable checking that the name is a GSS_KRB5_PRINCIPAL_NAME, as > this doesn't appear to be always the case for the authz_name. Is there any downside to this check? Can something bad happen if it's not a principal name? I left the check there now for authn_name. Committed: http://hg.dovecot.org/dovecot-1.2/rev/ff6378d7b209 And then I noticed that the last equal_authn_authz check most likely shouldn't have been changed, so reversed it: http://hg.dovecot.org/dovecot-1.2/rev/601e0382b442
signature.asc
Description: This is a digitally signed message part
