freeipa.git/daemons/ipa-kdb, branch adwork

Map remote to local groups

2012-06-26T07:06:12+00:00

Add support for disabling KDC writes

2012-06-07T02:12:22+00:00

Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734

ipa-kdb: Add MS-PAC on constrained delegation.

2012-06-07T07:39:10+00:00

Perform case-insensitive searches for principals on TGS requests

2012-06-07T07:39:10+00:00

We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577

Fix setting domain_sid

2012-05-29T22:01:21+00:00

'sid' is a stack variable, by assigning its address to the domain_sid pointer
we were later referencing grabage (whatever on the stack ha[ppened to be at
that address.
Properly copy the sid and allocate it on the provided memory context.

Check for locked-out user before incrementing lastfail.

2012-05-18T07:03:22+00:00

If a user become locked due to too many failed logins and then were
unlocked by an administrator, the account would not lock again. This
was caused by two things:

 - We were incrementing the fail counter before checking to see if the
   account was already locked out.
 - The current fail count wasn't taken into consideration when
   deciding if the account is locked.

The sequence was this:

1. Unlocked account, set failcount to 0
2. Failed login, increment failcount
3. Within lastfailed + lockout_duration, still locked. This skips
   update the last_failed date.

So I reversed 2 and 3 and check to see if the fail count exceeds policy.

https://fedorahosted.org/freeipa/ticket/2765

Fix theoretical leak discovered by coverity

2012-04-17T19:40:58+00:00

This was introduced when we started checking the return from
ipadb_get_context() to silence another coverity report.
That condition can never be true in this function but whatever ... let's
silence Coverity once again :)

Fix MS-PAC checks when using s4u2proxy

2012-04-03T13:28:50+00:00

We were using the wrong principal in the s4u2proxy case.

Fixes: https://fedorahosted.org/freeipa/ticket/2504

Fix failure count interval attribute name in query for password policy.

2012-03-29T04:52:25+00:00

This was causing the failure count interval to not be applied so
the failure count was never reset to 0.

https://fedorahosted.org/freeipa/ticket/2540

Fix memleak and silence Coverity defects

2012-03-22T16:33:13+00:00

Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.

One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c

Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0

Fixes: https://fedorahosted.org/freeipa/ticket/2488