From 8c547589f65d02198cfda2c73f25349420f9e38b Mon Sep 17 00:00:00 2001
From: "gcp-cherry-pick-bot[bot]"
 <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com>
Date: Tue, 29 Oct 2024 17:31:32 +0100
Subject: [PATCH] sources/kerberos: add kiprop to ignored system principals
 (cherry-pick #11852) (#11853)

sources/kerberos: add kiprop to ignored system principals (#11852)

Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
---
 blueprints/system/sources-kerberos.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/blueprints/system/sources-kerberos.yaml b/blueprints/system/sources-kerberos.yaml
index d97e8eda53..8664183b7e 100644
--- a/blueprints/system/sources-kerberos.yaml
+++ b/blueprints/system/sources-kerberos.yaml
@@ -38,7 +38,7 @@ entries:
       name: "authentik default Kerberos User Mapping: Ignore system principals"
       expression: |
         localpart, realm = principal.rsplit("@", 1)
-        denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/"]
+        denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/", "kiprop/", "changepw/"]
         for prefix in denied_prefixes:
             if localpart.lower().startswith(prefix.lower()):
                 raise SkipObject