23185400 python-ldap-27 complains about kerberos.ldif format
authorShawn Emery <shawn.emery@oracle.com>
Wed, 11 May 2016 20:33:52 -0700
changeset 5970 86291cd54b86
parent 5969 96bac9fbcfbd
child 5971 065a45513062
23185400 python-ldap-27 complains about kerberos.ldif format
components/krb5/patches/068-ldif-format.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/patches/068-ldif-format.patch	Wed May 11 20:33:52 2016 -0700
@@ -0,0 +1,445 @@
+#
+# This patch fixes an issue with python-ldap-27 when the modify() function
+# parses the kerberos.ldif file and complains about no trailing space before
+# the closing right parenthesis in the class declarations.
+#
+# This problem has been reported to MIT, pull request:
+#   https://github.com/krb5/krb5/pull/441
+#
+# Patch source: in-house
+#
+diff -pur old/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif new/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
+--- old/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif	2016-04-26 18:05:50.610166618 -0600
++++ new/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif	2016-04-26 18:10:14.036980432 -0600
[email protected]@ -46,7 +46,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbPrincipalName'
+                 EQUALITY caseExactIA5Match
+                 SUBSTR caseExactSubstringsMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ 
+ 
+ ##### If there are multiple krbPrincipalName values for an entry, this
[email protected]@ -62,7 +62,7 @@ attributetypes: ( 1.2.840.113554.1.4.1.6
+                 EQUALITY caseExactIA5Match
+                 SUBSTR caseExactSubstringsMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ ##### This specifies the type of the principal, the types could be any of
+ ##### the types mentioned in section 6.2 of RFC 4120
[email protected]@ -74,7 +74,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbPrincipalType'
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### This flag is used to find whether directory User Password has to be used
[email protected]@ -89,7 +89,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbUPEnabled'
+                 DESC 'Boolean'
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### The time at which the principal expires
[email protected]@ -101,7 +101,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbPrincipalExpiration'
+                 EQUALITY generalizedTimeMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### The krbTicketFlags attribute holds information about the kerberos flags for a principal
[email protected]@ -129,7 +129,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbTicketFlags'
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### The maximum ticket lifetime for a principal in seconds
[email protected]@ -141,7 +141,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbMaxTicketLife'
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### Maximum renewable lifetime for a principal's ticket in seconds
[email protected]@ -153,7 +153,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbMaxRenewableAge'
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### Forward reference to the Realm object.
[email protected]@ -166,7 +166,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.14.1
+                 NAME 'krbRealmReferences'
+                 EQUALITY distinguishedNameMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+ 
+ 
+ ##### List of LDAP servers that kerberos servers can contact.
[email protected]@ -182,7 +182,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.15.1
+                 NAME 'krbLdapServers'
+                 EQUALITY caseIgnoreMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ 
+ 
+ ##### A set of forward references to the KDC Service objects.
[email protected]@ -195,7 +195,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.17.1
+                 NAME 'krbKdcServers'
+                 EQUALITY distinguishedNameMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+ 
+ 
+ ##### A set of forward references to the Password Service objects.
[email protected]@ -208,7 +208,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.18.1
+                 NAME 'krbPwdServers'
+                 EQUALITY distinguishedNameMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+ 
+ 
+ ##### This attribute holds the Host Name or the ip address, 
[email protected]@ -222,7 +222,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.24.1
+                 NAME 'krbHostServer'
+                 EQUALITY caseExactIA5Match
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ 
+ 
+ ##### This attribute holds the scope for searching the principals
[email protected]@ -236,7 +236,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbSearchScope'
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### FDNs pointing to Kerberos principals
[email protected]@ -247,7 +247,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.26.1
+                 NAME 'krbPrincipalReferences'
+                 EQUALITY distinguishedNameMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+ 
+ 
+ ##### This attribute specifies which attribute of the user objects  
[email protected]@ -261,7 +261,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbPrincNamingAttr'
+                 EQUALITY caseIgnoreMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### A set of forward references to the Administration Service objects.
[email protected]@ -274,7 +274,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.29.1
+                 NAME 'krbAdmServers'
+                 EQUALITY distinguishedNameMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+ 
+ 
+ ##### Maximum lifetime of a principal's password
[email protected]@ -286,7 +286,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbMaxPwdLife'
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### Minimum lifetime of a principal's password
[email protected]@ -298,7 +298,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbMinPwdLife'
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### Minimum number of character clases allowed in a password
[email protected]@ -310,7 +310,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbPwdMinDiffChars' 
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### Minimum length of the password
[email protected]@ -322,7 +322,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbPwdMinLength' 
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### Number of previous versions of passwords that are stored
[email protected]@ -334,7 +334,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbPwdHistoryLength' 
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### Number of consecutive pre-authentication failures before lockout
[email protected]@ -346,7 +346,7 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.
+                 NAME 'krbPwdMaxFailure' 
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### Period after which bad preauthentication count will be reset
[email protected]@ -358,7 +358,7 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.
+                 NAME 'krbPwdFailureCountInterval' 
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### Period in which lockout is enforced
[email protected]@ -370,7 +370,7 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.
+                 NAME 'krbPwdLockoutDuration' 
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### Policy attribute flags
[email protected]@ -382,7 +382,7 @@ attributetypes: ( 1.2.840.113554.1.4.1.6
+                 NAME 'krbPwdAttributes'
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### Policy maximum ticket lifetime
[email protected]@ -394,7 +394,7 @@ attributetypes: ( 1.2.840.113554.1.4.1.6
+                 NAME 'krbPwdMaxLife'
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### Policy maximum ticket renewable lifetime
[email protected]@ -406,7 +406,7 @@ attributetypes: ( 1.2.840.113554.1.4.1.6
+                 NAME 'krbPwdMaxRenewableLife'
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### Allowed enctype:salttype combinations for key changes
[email protected]@ -418,7 +418,7 @@ attributetypes: ( 1.2.840.113554.1.4.1.6
+                 NAME 'krbPwdAllowedKeysalts'
+                 EQUALITY caseIgnoreIA5Match
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### FDN pointing to a Kerberos Password Policy object
[email protected]@ -430,7 +430,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbPwdPolicyReference'
+                 EQUALITY distinguishedNameMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### The time at which the principal's password expires
[email protected]@ -442,7 +442,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbPasswordExpiration'
+                 EQUALITY generalizedTimeMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with
[email protected]@ -482,7 +482,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.39.1
+                 NAME 'krbPrincipalKey'
+                 EQUALITY octetStringMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+ 
+ 
+ ##### FDN pointing to a Kerberos Ticket Policy object.
[email protected]@ -494,7 +494,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbTicketPolicyReference'
+                 EQUALITY distinguishedNameMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### Forward reference to an entry that starts sub-trees
[email protected]@ -507,7 +507,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.41.1
+                 NAME 'krbSubTrees'
+                 EQUALITY distinguishedNameMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+ 
+ 
+ ##### Holds the default encryption/salt type combinations of principals for
[email protected]@ -520,7 +520,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.42.1
+                 NAME 'krbDefaultEncSaltTypes'
+                 EQUALITY caseIgnoreMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ 
+ 
+ ##### Holds the Supported encryption/salt type combinations of principals for
[email protected]@ -544,7 +544,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.43.1
+                 NAME 'krbSupportedEncSaltTypes'
+                 EQUALITY caseIgnoreMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ 
+ 
+ ##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with
[email protected]@ -584,7 +584,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.44.1
+                 NAME 'krbPwdHistory'
+                 EQUALITY octetStringMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+ 
+ 
+ ##### The time at which the principal's password last password change happened.
[email protected]@ -596,7 +596,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbLastPwdChange'
+                 EQUALITY generalizedTimeMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ ##### The time at which the principal was last administratively unlocked.
+ 
[email protected]@ -607,7 +607,7 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.
+                 NAME 'krbLastAdminUnlock'
+                 EQUALITY generalizedTimeMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ ##### This attribute holds the kerberos master key.
+ ##### This can be used to encrypt principal keys. 
[email protected]@ -632,7 +632,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.46.1
+                 NAME 'krbMKey'
+                 EQUALITY octetStringMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+ 
+ 
+ ##### This stores the alternate principal names for the principal in the RFC 1961 specified format
[email protected]@ -643,7 +643,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.47.1
+                 NAME 'krbPrincipalAliases'
+                 EQUALITY caseExactIA5Match
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ 
+ 
+ ##### The time at which the principal's last successful authentication happened.
[email protected]@ -655,7 +655,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbLastSuccessfulAuth'
+                 EQUALITY generalizedTimeMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### The time at which the principal's last failed authentication happened.
[email protected]@ -667,7 +667,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbLastFailedAuth'
+                 EQUALITY generalizedTimeMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ ##### This attribute stores the number of failed authentication attempts
[email protected]@ -680,7 +680,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+                 NAME 'krbLoginFailedCount' 
+                 EQUALITY integerMatch
+                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
+-                SINGLE-VALUE)
++                SINGLE-VALUE )
+ 
+ 
+ 
[email protected]@ -692,7 +692,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.51.1
+                 NAME 'krbExtraData'
+                 EQUALITY octetStringMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+ 
+ 
+ ##### This attributes holds references to the set of directory objects.
[email protected]@ -705,7 +705,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.52.1
+                 NAME 'krbObjectReferences'
+                 EQUALITY distinguishedNameMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+ 
+ 
+ ##### This attribute holds references to a Container object where 
[email protected]@ -718,7 +718,7 @@ add: attributetypes
+ attributetypes: ( 2.16.840.1.113719.1.301.4.53.1
+                 NAME 'krbPrincContainerRef'
+                 EQUALITY distinguishedNameMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+ 
+ ##### A list of services to which a service principal can delegate.
+ dn: cn=schema
[email protected]@ -728,7 +728,7 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.
+                 NAME 'krbAllowedToDelegateTo'
+                 EQUALITY caseExactIA5Match
+                 SUBSTR caseExactSubstringsMatch
+-                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
++                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ 
+ ########################################################################
+ ########################################################################