| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The KDB driver does not walk the tree back like the original password plugin.
Also we do not store the default policy in the base DN as we used to do in the
past anymore.
So doing a full subtree search and walking back the tree is just a waste of
time.
Instead hardcode the default policy like we do in the kdb driver.
Fixes: https://fedorahosted.org/freeipa/ticket/4085
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3896
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3795
|
|
|
|
|
|
|
| |
Some error strings were duplicate which makes it then harder to
see what is the real root cause of it.
https://fedorahosted.org/freeipa/ticket/3988
|
|
|
|
|
|
|
|
|
| |
When Directory Manager or a PassSync agent is changing a password,
it is not being expired, but standard expiration time should apply.
However, default expiration time was always applied (90 days)
even though administrator may have a custom policy for the user.
https://fedorahosted.org/freeipa/ticket/3968
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos
key is available for the corresponding user. This is typically triggered
by samba via the ipa_sam passdb plugin. The principal used by samba to
connect to the IPA directory server has the right to modify ipaNTHash
but no other password attribute. This means that the current check on
the userPassword attribute is too strict for this case and leads to a
failure of the whole operation.
With this patch the access right on ipaNTHash are checked if no other
password operations are requested.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3953
|
| |
|
|
|
|
|
|
|
|
|
| |
CoverityID: 11904
Also remove 'inline', the compiler can do it on its own if needed.
Fixes:
https://fedorahosted.org/freeipa/ticket/3882
|
|
|
|
|
|
|
|
|
| |
During LDAP bind, this now plugin determines if a user is enabled
for OTP authentication. If so, then the OTP is validated in addition
to the password. This allows 2FA during user binds.
https://fedorahosted.org/freeipa/ticket/3367
http://freeipa.org/page/V3/OTP
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3539
|
|
|
|
|
|
| |
Fix rpm build warnings report in Fedora 19 build.
https://fedorahosted.org/freeipa/ticket/3500
|
|
|
|
|
|
|
|
|
|
| |
The way how unhashed password is stored in the entry was changed in
389-ds-base-1.3.0, it is now stored in an entry extension rather than
in a magic attribute unhashed#user#password. New API using an entry
extension was introduced. ipa-pwd-extop should take advantage of the
new API as the old one will be removed in 389-ds-base-1.3.1.
https://fedorahosted.org/freeipa/ticket/3439
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3427
|
|
|
|
|
|
|
|
|
|
| |
Wrap the password change extop in a transaction.
Fix the case where a password is reset and then immediately used. If done
fast enough then the KDC may not detect that the password is expired and
grant access using the expired password rather than prompting for a reset.
https://fedorahosted.org/freeipa/ticket/1064
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.
Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).
Fix some unit tests that are failing because we actually get the data
now due to transactions.
Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.
Deprecate wait_for_attr code.
Add a memberof fixup task for roles.
https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2805
|
|
|
|
|
|
| |
The NT Hash is the same thing as the RC4-HMAC key, so we add a function to
extract it from krb5 keys if they are available to avoid forcing a password
change when configuring trust relationships.
|
|
|
|
|
| |
Avoid the need to allocate/free a Slapi_Mod and avoid checking for attribute
equvalence after a match (use if/else)
|
| |
|
|
|
|
|
|
|
|
| |
When we set a password we also need to make sure krbExtraData is set.
If not kadmin will later complain that the object is corrupted at password
change time.
Ticket: https://fedorahosted.org/freeipa/ticket/2764
|
|
|
|
|
|
|
|
|
|
|
| |
User always receives the same error message if he changes his password
via "ipa passwd" command and the new password fails configured
password policy. He then has to investigate on his own the actual
reason why was the policy violated. This patch improves our SLAPI PWD
plugins to provide a better error message explaining the violation
reason.
https://fedorahosted.org/freeipa/ticket/2067
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2036
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2036
|
|
|
|
|
|
|
| |
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.
https://fedorahosted.org/freeipa/ticket/1877
|
|
|
|
|
|
|
| |
If a user is changing his own password, then require the old password to be
sent for validation purposes.
https://fedorahosted.org/freeipa/ticket/1814
|
|
|
|
|
| |
Do not pass an empty buffer to ber_init() as it will assert.
Check before hand and return an error.
|
|
|
|
|
|
| |
Fix "The the" and "classses" in FreeIPA code and messages.
https://fedorahosted.org/freeipa/ticket/1480
|
|
|
|
|
|
|
| |
Prevent the ipa-pwd-extop plugin from re-generating keys when kadimn is storing
a new set of keys. Only generate the userPassword and sambaXXPassword hashes.
Also avoid checking policies in this case and if history is provided avoid
regenerating the passwordHistory too.
|
| |
|
|
|
|
| |
It is going to be used by the ipa-kdb module too.
|
|
|
|
| |
Also to be used by ipa-kdb
|
|
|
|
| |
This way we can reuse the same code from ipa-kdb later
|
|
|
|
| |
This removes custom structures and allows easier sharing of code with ipa-kdb
|
| |
|
|
|
|
|
|
|
|
| |
Setting 0 will work as MIT KDCs assume the current master key when that is
found. But it is a legacy compatibility mode and we should instead set the
proper mkvno number on keys so changeing master key becomes possible w/o
having to do a dump reload and stopping the service. This is especially
important in replicated environments.
|
|
|
|
|
| |
mkvno is actually available as part of the key material.
There is no need to store it in the krbExtraData field as it is unused there.
|
| |
|
| |
|
|
|
|
| |
Some are actual bugs.
|
|
|
|
| |
This fixes a regression in the previous patch in ticket #1526.
|
|
|
|
|
|
|
| |
This can cause problems if a host is enrolled, unenrolled and a password
set. The password will be marked as expired like all new passwords are.
https://fedorahosted.org/freeipa/ticket/1526
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have no visibility into whether an entry has a keytab or not so
krbLastPwdChange is used as a rough guide.
If this value exists during enrollment then it fails because the host
is considered already joined. This was getting set when a OTP was
added to a host that had already been enrolled (e.g. you enroll a host,
unenroll it, set a OTP, then try to re-enroll). The second enrollment
was failing because the enrollment plugin thought it was still
enrolled becaused krbLastPwdChange was set.
https://fedorahosted.org/freeipa/ticket/1357
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1441
|
|
|
|
| |
tickets 1166, 1167, 1168, 1169
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/1119
|