summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-kdb
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix MS-PAC checks when using s4u2proxySimo Sorce2012-04-031-4/+6
| | | | | | We were using the wrong principal in the s4u2proxy case. Fixes: https://fedorahosted.org/freeipa/ticket/2504
* Fix failure count interval attribute name in query for password policy.Rob Crittenden2012-03-291-1/+1
| | | | | | | This was causing the failure count interval to not be applied so the failure count was never reset to 0. https://fedorahosted.org/freeipa/ticket/2540
* Fix memleak and silence Coverity defectsSimo Sorce2012-03-223-0/+9
| | | | | | | | | | | | | | | Some of these are not real defects, because we are guaranteed to have valid context in some functions, and checks are not necessary. I added the checks anyway in order to silence Coverity on these issues. One meleak on error condition was fixed in daemons/ipa-kdb/ipa_kdb_pwdpolicy.c Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is actually fine as we count before hand so we never actually use the wrong value that is computed on the last pass when p == 0 Fixes: https://fedorahosted.org/freeipa/ticket/2488
* ipa-kdb: fix delegation acl checkSimo Sorce2012-02-281-2/+4
| | | | | We need to check for a matching acl only if one match hasn't already been found, otherwise results are unpredictable and order dependent.
* policy: add function to check lockout policySimo Sorce2012-02-193-1/+62
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2393
* ipa-kdb: Fix ACL evaluatorSimo Sorce2012-02-201-1/+4
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2343
* Remove compat definesSimo Sorce2012-02-161-32/+0
| | | | | | | These definitions were needed during development to be a le to build against krb5 version < 1.10 These function headers and defintions are now available in 1.10 that is a hard dependency for freeipa 3.0, so we can safely drop them.
* ipa-kdb: set krblastpwdchange only when keys have been effectively changedSimo Sorce2012-02-151-2/+4
|
* ipa-kdb: Avoid lookup on modify if possibleSimo Sorce2012-02-151-19/+27
| | | | This avoids one useless search if we already have the entry_dn.
* ipa-kdb: add AS auditing supportSimo Sorce2012-02-147-91/+254
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2334
* ipa-kdb: Create PAC's KDC checksum with right keySimo Sorce2012-01-111-2/+89
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2170
* ipa-kdb: Verify the correct checksum in PAC validationSimo Sorce2012-01-111-5/+45
| | | | | | | | | | | | | | | | | | This patch requires a forthcoming change in MIT libraries which allows to pass NULL for the server_key to the krb5_pac_verify() function. In most cases we should always only check the KDC checksum to verify the PAC validity. The only exception is when we are releasing a ticket to a client from another realm. In this case the only signature we can check is the server checksum, and we use the cross-realm key to validate in this case. The previous code was working for normal cases because the kdc uses the same key to create the server and the kdc checksum for a TGT, but that is not true for evidence tickets (s4u2proxy) or cross-realm TGTs. Fixes: https://fedorahosted.org/freeipa/ticket/2169
* ipa-kdb: return properly when no PAC is availableSimo Sorce2011-12-091-10/+3
|
* ipa-kdb: Add delgation access control supportSimo Sorce2011-12-085-1/+342
|
* ipa-kdb: enhance deref searchesSimo Sorce2011-12-083-13/+39
| | | | | Allow to deref more than one attribute. The attrs searched are the same for all deref attributes at this time.
* ipa-kdb: Fix copy and paste typoSimo Sorce2011-12-071-1/+1
|
* ipa-kdb: fix memleaks in ipa_kdb_mspac.cSimo Sorce2011-12-021-7/+8
|
* ipa-kdb: Remove unused CFLAGS/LIBS from MakefilesSimo Sorce2011-12-021-2/+0
|
* ipa-kdb: fix free() of uninitialized varSimo Sorce2011-11-291-0/+1
|
* ipa-kdb: Support re-signing PAC with different checksumSimo Sorce2011-11-291-2/+52
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2122
* MS-PAC: Add support for verifying PAC in TGS requestsSimo Sorce2011-11-071-7/+62
| | | | Fake code for now, to be rebased later
* Add support for generating PAC for AS requests for user principalsSimo Sorce2011-11-076-1/+895
|
* Fix CID 11027: Wrong sizeof argumentSimo Sorce2011-11-071-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11026: Resource leakSimo Sorce2011-11-071-1/+4
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11025: Resource leakSimo Sorce2011-11-071-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11024: Resource leakSimo Sorce2011-11-071-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11023: Resource leakSimo Sorce2011-11-071-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11022: Resource leakSimo Sorce2011-11-071-0/+7
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11020: Resource leakSimo Sorce2011-11-071-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11019: Resource leakSimo Sorce2011-11-071-6/+7
| | | | https://fedorahosted.org/freeipa/ticket/2037
* ipa-kdb: Fix memory leakSimo Sorce2011-11-031-0/+1
|
* ipa-kdb: Fix legacy password hashes generationSimo Sorce2011-10-062-3/+2
| | | | | | | | | We were not searching for objectclass so the test to se if a user had the posixAccount attribute was failing and the user was not marked as ipa_user. This in turn caused us to not synchronize legacy hashes by not trying to store the userPassword attribute. Fixes: https://fedorahosted.org/freeipa/ticket/1820
* ipa-kdb: Fix expiration time calculationSimo Sorce2011-09-262-17/+18
| | | | | | | | | | | Expiration time should be enforced as per policy only for users and only when a password change occurs, ina ll other cases we should just let kadmin decide whther it is going to set a password expiration time or just leave it empty. In general service tickts have strong random passwords so they do not need a password policy or expiration at all. https://fedorahosted.org/freeipa/ticket/1839
* ipa-kdb: Properly set password expiration time.Simo Sorce2011-09-193-4/+74
| | | | | | | We do the policy check so we are the only one that can calculate the new pwd espiration time. Fixes: https://fedorahosted.org/freeipa/ticket/1793
* ipa-kdb: Be flexibleSimo Sorce2011-08-261-2/+2
| | | | | | | Although the proper values for booleans from LDAP should be only uppercase, 389ds does allow wrong cased values without complaining. And we still have some places where the wrong case is used. Avoid getting frustrating errors when reading these values out.
* ipa-kdb: add password policy supportSimo Sorce2011-08-264-8/+347
| | | | Use default policy for new principals created by kadmin
* ipa-kdb: implement change_pwd functionSimo Sorce2011-08-265-11/+116
|
* ipa-kdb: implement function to retrieve password policiesSimo Sorce2011-08-264-43/+209
|
* ipa-kdb: Get/Store Master Key directly from LDAPSimo Sorce2011-08-265-12/+264
|
* ipa-kdb: add functions to change principalsSimo Sorce2011-08-263-1/+804
|
* ipa-kdb: add function to iterate over principalsSimo Sorce2011-08-261-1/+41
|
* ipa-kdb: add functions to delete principalsSimo Sorce2011-08-261-1/+121
|
* ipa-kdb: add function to free principalsSimo Sorce2011-08-261-1/+16
|
* ipa-kdb: functions to get principalSimo Sorce2011-08-264-35/+884
|
* ipa-kdb: add common utility ldap wrapper functionsSimo Sorce2011-08-263-0/+464
|
* ipa-kdb: implement get_time functionSimo Sorce2011-08-262-1/+6
|
* ipa-kdb: initialize module functionsSimo Sorce2011-08-263-6/+384
| | | | | Initialize module also on ipadb_create invocation. This is what kdb5_util expects.
* ipa-kdb: add exports fileSimo Sorce2011-08-262-1/+14
| | | | limit exported symbols only to the ones actually needed by krb5kdc
* ipa-kdb: Initial plugin skeletonSimo Sorce2011-08-263-0/+229
generated by cgit (git 2.34.1) at 2024-06-21 08:29:37 +0000