summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-kdb/ipa_kdb_principals.c
Commit message (Collapse)AuthorAgeFilesLines
* client referral support for trusted domain principals4-2-trust-fixesAlexander Bokovoy2015-09-031-0/+55
| | | | https://fedorahosted.org/freeipa/ticket/3559
* Detect default encsalts kadmin password changeSimo Sorce2015-05-271-0/+80
| | | | | | | | | | | | | | | | | | | When kadmin tries to change a password it will get the allowed keysalts from the password policy. Failure to provide them will result in kadmin using the defaults specified in the kdc.conf file or hardcoded defaults (the default salt is then of type NORMAL). This patch provides the supported values that have been read out of the appropriate LDAP attribute when we read the server configuration. Then at actual password change, check if kadmin is handing us back the exact list of supported encsalts we sent it, and in that case replace it with the real default encsalts. Fixes https://fedorahosted.org/freeipa/ticket/4914 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
* Handle DAL ABI change in MIT 1.13Simo Sorce2015-02-131-0/+7
| | | | | | | | | | | | | In this new MIT version the DAL interface changes slightly but KRB5_KDB_DAL_MAJOR_VERSION was not changed. Luckily KRB5_KDB_API_VERSION did change and that's enough to know what to compile in. Resolves: https://fedorahosted.org/freeipa/ticket/4861 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Expose the disabled User Auth TypeNathaniel McCallum2015-02-121-6/+7
| | | | | | | | | Additionally, fix a small bug in ipa-kdb so that the disabled User Auth Type is properly handled. https://fedorahosted.org/freeipa/ticket/4720 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* ipa-kdb: more robust handling of principal addition/editingMartin Babinsky2015-01-301-23/+47
| | | | | | | | | | | | | | | | | | | | | | | | The patch addresses the following defect reported by covscan in FreeIPA master: """ Error: FORWARD_NULL (CWE-476): /daemons/ipa-kdb/ipa_kdb_principals.c:1886: assign_zero: Assigning: "principal" = "NULL". /daemons/ipa-kdb/ipa_kdb_principals.c:1929: var_deref_model: Passing null pointer "principal" to "ipadb_entry_to_mods", which dereferences it. /daemons/ipa-kdb/ipa_kdb_principals.c:1491:9: deref_parm_in_call: Function "ipadb_get_ldap_mod_str" dereferences "principal". /daemons/ipa-kdb/ipa_kdb_principals.c:1174:5: deref_parm_in_call: Function "strdup" dereferences "value" """ This is a part of series of patches related to https://fedorahosted.org/freeipa/ticket/4795 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Periodically refresh global ipa-kdb configurationNathaniel McCallum2014-06-191-2/+9
| | | | | | | | | | | | | Before this patch, ipa-kdb would load global configuration on startup and never update it. This means that if global configuration is changed, the KDC never receives the new configuration until it is restarted. This patch enables caching of the global configuration with a timeout of 60 seconds. https://fedorahosted.org/freeipa/ticket/4153 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Restore krbCanonicalName handlingNalin Dahyabhai2014-05-301-5/+1
| | | | | | | | | | | When an entry has a krbCanonicalName, if KRB5_KDB_FLAG_ALIAS_OK is set, rewrite the principal name to the canonical value, else error out, instead of always returning an error if the requested name doesn't look like the canonical one. https://fedorahosted.org/freeipa/ticket/3966 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Accept any alias, not just the last valueNalin Dahyabhai2014-05-301-0/+3
| | | | | | | | | If the entry's krbPrincipalName attribute is multi-valued, accept any of the values, not just the last one we happen to examine. https://fedorahosted.org/freeipa/ticket/3966 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* kdb: Don't provide password expiration when using only RADIUSNathaniel McCallum2014-05-221-0/+4
| | | | | | | | | | If the KDC doesn't use the FreeIPA password for authentication, then it is futile to provide this information. Doing so will only confuse the user. It also causes password change dialogues when the password is irrelevant. https://fedorahosted.org/freeipa/ticket/4299 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add support to ipa-kdb for keyless principalsNathaniel McCallum2014-02-191-0/+18
| | | | | | https://fedorahosted.org/freeipa/ticket/3779 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-kdb: validate that an OTP user has tokensNathaniel McCallum2014-02-141-18/+126
| | | | | | | | | | | | This handles the case where a user is configured for OTP in ipaUserAuthType, but the user has not yet created any tokens. Until the user creates tokens, the user should still be able to log in via password. This logic already exists in LDAP, but ipa-kdb needs to perform the same validation to know what data to return to the KDC. https://fedorahosted.org/freeipa/ticket/4154 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add krbticketPolicyAux objectclass if neededSimo Sorce2013-11-261-0/+34
| | | | | | When modifying ticket flags add the objectclass to the object if it is missing. https://fedorahosted.org/freeipa/ticket/3901
* kdb-princ: Fix memory leakSimo Sorce2013-08-281-0/+1
| | | | | | | | | | If we do not store the keys in the entry we need to free the array before continuing or the data is leaked. CoverityID: 11910 Fixes: https://fedorahosted.org/freeipa/ticket/3884
* Use libunistring ulc_casecmp() on unicode stringsNathaniel McCallum2013-07-181-3/+12
| | | | https://fedorahosted.org/freeipa/ticket/3772
* ipa-kdb: Add OTP supportNathaniel McCallum2013-05-171-0/+28
| | | | | | | | | | | | | If OTP is enabled for a user, then: 1. Long-term keys are not provided to KDB 2. The user string 'otp' is defined to KDB Since it is not secure to send radius configuration information over krb5 user strings, we simply set the string to a known default ('[]') which enables the default configuration in the KDC. https://fedorahosted.org/freeipa/ticket/3561 http://freeipa.org/page/V3/OTP
* ipa-kdb: Read ipaKrbAuthzData with other principal dataSumit Bose2013-03-081-0/+17
| | | | | | | | The ipaKrbAuthzData LDAP attribute is read together with the other data of the requestedprincipal and the read value(s) are stored in the e-data of the entry for later use. https://fedorahosted.org/freeipa/ticket/2960
* ipa-kdb: remove unused variableSumit Bose2013-02-281-1/+1
|
* Prevent integer overflow when setting krbPasswordExpirationTomas Babej2013-02-081-13/+13
| | | | | | | | | | | | | | | | Since in Kerberos V5 are used 32-bit unix timestamps, setting maxlife in pwpolicy to values such as 9999 days would cause integer overflow in krbPasswordExpiration attribute. This would result into unpredictable behaviour such as users not being able to log in after password expiration if password policy was changed (#3114) or new users not being able to log in at all (#3312). The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver. https://fedorahosted.org/freeipa/ticket/3312 https://fedorahosted.org/freeipa/ticket/3114
* ipadb_iterate(): handle match_entry == NULLSumit Bose2012-09-051-0/+6
| | | | | | | | | If match_entry == NULL all principals should be iterated. Additionally this patch adds a check in ipadb_filter_escape() to make sure that the input is not NULL. Fixes: https://fedorahosted.org/freeipa/ticket/3011
* Move code into common krb5 utilsSimo Sorce2012-07-301-141/+7
| | | | | | | | This moves the decoding function that reads the keys from the ber format into a structure in the common krb5 util code right below the function that encodes the same data structure into a ber format. This way the 2 functions are in the same place and can be both used by all ia components.
* Perform case-insensitive searches for principals on TGS requestsAlexander Bokovoy2012-06-071-21/+52
| | | | | | | | | | We want to always resolve TGS requests even if the user mistakenly sends a request for a service ticket where the fqdn part contain upper case letters. The actual implementation follows hints set by KDC. When AP_REQ is done, KDC sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests. https://fedorahosted.org/freeipa/ticket/1577
* Fix theoretical leak discovered by coveritySimo Sorce2012-04-171-0/+1
| | | | | | | This was introduced when we started checking the return from ipadb_get_context() to silence another coverity report. That condition can never be true in this function but whatever ... let's silence Coverity once again :)
* Fix memleak and silence Coverity defectsSimo Sorce2012-03-221-0/+3
| | | | | | | | | | | | | | | Some of these are not real defects, because we are guaranteed to have valid context in some functions, and checks are not necessary. I added the checks anyway in order to silence Coverity on these issues. One meleak on error condition was fixed in daemons/ipa-kdb/ipa_kdb_pwdpolicy.c Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is actually fine as we count before hand so we never actually use the wrong value that is computed on the last pass when p == 0 Fixes: https://fedorahosted.org/freeipa/ticket/2488
* ipa-kdb: set krblastpwdchange only when keys have been effectively changedSimo Sorce2012-02-151-2/+4
|
* ipa-kdb: Avoid lookup on modify if possibleSimo Sorce2012-02-151-19/+27
| | | | This avoids one useless search if we already have the entry_dn.
* ipa-kdb: add AS auditing supportSimo Sorce2012-02-141-16/+20
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2334
* ipa-kdb: fix free() of uninitialized varSimo Sorce2011-11-291-0/+1
|
* Add support for generating PAC for AS requests for user principalsSimo Sorce2011-11-071-0/+7
|
* Fix CID 11025: Resource leakSimo Sorce2011-11-071-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11024: Resource leakSimo Sorce2011-11-071-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11023: Resource leakSimo Sorce2011-11-071-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11022: Resource leakSimo Sorce2011-11-071-0/+7
| | | | https://fedorahosted.org/freeipa/ticket/2037
* ipa-kdb: Fix legacy password hashes generationSimo Sorce2011-10-061-0/+1
| | | | | | | | | We were not searching for objectclass so the test to se if a user had the posixAccount attribute was failing and the user was not marked as ipa_user. This in turn caused us to not synchronize legacy hashes by not trying to store the userPassword attribute. Fixes: https://fedorahosted.org/freeipa/ticket/1820
* ipa-kdb: Fix expiration time calculationSimo Sorce2011-09-261-16/+17
| | | | | | | | | | | Expiration time should be enforced as per policy only for users and only when a password change occurs, ina ll other cases we should just let kadmin decide whther it is going to set a password expiration time or just leave it empty. In general service tickts have strong random passwords so they do not need a password policy or expiration at all. https://fedorahosted.org/freeipa/ticket/1839
* ipa-kdb: Properly set password expiration time.Simo Sorce2011-09-191-4/+24
| | | | | | | We do the policy check so we are the only one that can calculate the new pwd espiration time. Fixes: https://fedorahosted.org/freeipa/ticket/1793
* ipa-kdb: add password policy supportSimo Sorce2011-08-261-7/+164
| | | | Use default policy for new principals created by kadmin
* ipa-kdb: implement change_pwd functionSimo Sorce2011-08-261-6/+3
|
* ipa-kdb: Get/Store Master Key directly from LDAPSimo Sorce2011-08-261-4/+8
|
* ipa-kdb: add functions to change principalsSimo Sorce2011-08-261-1/+763
|
* ipa-kdb: add function to iterate over principalsSimo Sorce2011-08-261-1/+41
|
* ipa-kdb: add functions to delete principalsSimo Sorce2011-08-261-1/+121
|
* ipa-kdb: add function to free principalsSimo Sorce2011-08-261-1/+16
|
* ipa-kdb: functions to get principalSimo Sorce2011-08-261-0/+863
generated by cgit (git 2.34.1) at 2024-05-06 20:37:59 +0000