| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
| |
The function filter_pac was not filtering the pac at all, it was merely
augmenting it with additional data relevant to the IPA server.
Change the name of the function to avoid confusion.
While there I also simplified and cleaed up the code a bit with regard to
variable names and usage.
|
|
|
|
| |
This list is used to validate data in mspac filtering
|
|
|
|
|
| |
By keeping it's definition in the mspac file it is easier to modify and make
sure any opertion on it is handled in the same file.
|
|
|
|
|
|
|
|
| |
This moves the decoding function that reads the keys from the ber format
into a structure in the common krb5 util code right below the function
that encodes the same data structure into a ber format.
This way the 2 functions are in the same place and can be both used by
all ia components.
|
|
|
|
| |
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
|
| |
If one or more of the external groups given in the PAC can be found in
the ipaExternalGroup objects and these objects are members of local
groups, the SIDs of the local groups are added to the PAC.
|
|
|
|
|
|
|
|
|
|
|
| |
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
https://fedorahosted.org/freeipa/ticket/2734
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.
The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.
https://fedorahosted.org/freeipa/ticket/1577
|
|
|
|
|
|
|
| |
'sid' is a stack variable, by assigning its address to the domain_sid pointer
we were later referencing grabage (whatever on the stack ha[ppened to be at
that address.
Properly copy the sid and allocate it on the provided memory context.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a user become locked due to too many failed logins and then were
unlocked by an administrator, the account would not lock again. This
was caused by two things:
- We were incrementing the fail counter before checking to see if the
account was already locked out.
- The current fail count wasn't taken into consideration when
deciding if the account is locked.
The sequence was this:
1. Unlocked account, set failcount to 0
2. Failed login, increment failcount
3. Within lastfailed + lockout_duration, still locked. This skips
update the last_failed date.
So I reversed 2 and 3 and check to see if the fail count exceeds policy.
https://fedorahosted.org/freeipa/ticket/2765
|
|
|
|
|
|
|
| |
This was introduced when we started checking the return from
ipadb_get_context() to silence another coverity report.
That condition can never be true in this function but whatever ... let's
silence Coverity once again :)
|
|
|
|
|
|
| |
We were using the wrong principal in the s4u2proxy case.
Fixes: https://fedorahosted.org/freeipa/ticket/2504
|
|
|
|
|
|
|
| |
This was causing the failure count interval to not be applied so
the failure count was never reset to 0.
https://fedorahosted.org/freeipa/ticket/2540
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.
One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0
Fixes: https://fedorahosted.org/freeipa/ticket/2488
|
|
|
|
|
| |
We need to check for a matching acl only if one match hasn't already been
found, otherwise results are unpredictable and order dependent.
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/2393
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/2343
|
|
|
|
|
|
|
| |
These definitions were needed during development to be a le to build against
krb5 version < 1.10
These function headers and defintions are now available in 1.10 that is a hard
dependency for freeipa 3.0, so we can safely drop them.
|
| |
|
|
|
|
| |
This avoids one useless search if we already have the entry_dn.
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/2334
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/2170
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch requires a forthcoming change in MIT libraries which allows to pass
NULL for the server_key to the krb5_pac_verify() function.
In most cases we should always only check the KDC checksum to verify the PAC
validity.
The only exception is when we are releasing a ticket to a client from another
realm. In this case the only signature we can check is the server checksum, and
we use the cross-realm key to validate in this case.
The previous code was working for normal cases because the kdc uses the same
key to create the server and the kdc checksum for a TGT, but that is not true
for evidence tickets (s4u2proxy) or cross-realm TGTs.
Fixes: https://fedorahosted.org/freeipa/ticket/2169
|
| |
|
| |
|
|
|
|
|
| |
Allow to deref more than one attribute.
The attrs searched are the same for all deref attributes at this time.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/2122
|
|
|
|
| |
Fake code for now, to be rebased later
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
| |
|
|
|
|
|
|
|
|
|
| |
We were not searching for objectclass so the test to se if a user had the
posixAccount attribute was failing and the user was not marked as ipa_user.
This in turn caused us to not synchronize legacy hashes by not trying to store
the userPassword attribute.
Fixes: https://fedorahosted.org/freeipa/ticket/1820
|
|
|
|
|
|
|
|
|
|
|
| |
Expiration time should be enforced as per policy only for users and only when a
password change occurs, ina ll other cases we should just let kadmin decide
whther it is going to set a password expiration time or just leave it empty.
In general service tickts have strong random passwords so they do not need a
password policy or expiration at all.
https://fedorahosted.org/freeipa/ticket/1839
|
|
|
|
|
|
|
| |
We do the policy check so we are the only one that can calculate the new
pwd espiration time.
Fixes: https://fedorahosted.org/freeipa/ticket/1793
|
|
|
|
|
|
|
| |
Although the proper values for booleans from LDAP should be only uppercase,
389ds does allow wrong cased values without complaining. And we still have some
places where the wrong case is used.
Avoid getting frustrating errors when reading these values out.
|
|
|
|
| |
Use default policy for new principals created by kadmin
|
| |
|
| |
|