summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-slapi-plugins/ipa-pwd-extop
Commit message (Collapse)AuthorAgeFilesLines
* BUILD: Fix portability of NSS in file ipa_pwd.cLukas Slebodnik2014-01-281-0/+1
| | | | Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
* Harmonize policy discovery to kdb driverSimo Sorce2014-01-161-89/+17
| | | | | | | | | | | The KDB driver does not walk the tree back like the original password plugin. Also we do not store the default policy in the base DN as we used to do in the past anymore. So doing a full subtree search and walking back the tree is just a waste of time. Instead hardcode the default policy like we do in the kdb driver. Fixes: https://fedorahosted.org/freeipa/ticket/4085
* Remove CFLAGS duplication.Jan Cholasta2013-12-061-2/+1
| | | | https://fedorahosted.org/freeipa/ticket/3896
* Remove generation and handling of LM hashesSumit Bose2013-11-014-63/+19
| | | | https://fedorahosted.org/freeipa/ticket/3795
* Remove ipa-pwd-extop and ipa-enrollment duplicate error stringsMartin Kosek2013-10-301-8/+11
| | | | | | | Some error strings were duplicate which makes it then harder to see what is the real root cause of it. https://fedorahosted.org/freeipa/ticket/3988
* Administrative password change does not respect password policyMartin Kosek2013-10-171-15/+29
| | | | | | | | | When Directory Manager or a PassSync agent is changing a password, it is not being expired, but standard expiration time should apply. However, default expiration time was always applied (90 days) even though administrator may have a custom policy for the user. https://fedorahosted.org/freeipa/ticket/3968
* Use the right attribute with ipapwd_entry_checks for MagicRegenSumit Bose2013-10-081-1/+2
| | | | | | | | | | | | | There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos key is available for the corresponding user. This is typically triggered by samba via the ipa_sam passdb plugin. The principal used by samba to connect to the IPA directory server has the right to modify ipaNTHash but no other password attribute. This means that the current check on the userPassword attribute is too strict for this case and leads to a failure of the whole operation. With this patch the access right on ipaNTHash are checked if no other password operations are requested.
* Ensure credentials structure is initializedNathaniel McCallum2013-10-021-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3953
* Fix -Wformat-security warningsKrzysztof Klimonda2013-09-161-4/+4
|
* pwd-plugin: Fix ignored return errorSimo Sorce2013-08-281-3/+8
| | | | | | | | | CoverityID: 11904 Also remove 'inline', the compiler can do it on its own if needed. Fixes: https://fedorahosted.org/freeipa/ticket/3882
* Add OTP support to ipa-pwd-extopNathaniel McCallum2013-05-179-25/+1362
| | | | | | | | | During LDAP bind, this now plugin determines if a user is enabled for OTP authentication. If so, then the OTP is validated in addition to the password. This allows 2FA during user binds. https://fedorahosted.org/freeipa/ticket/3367 http://freeipa.org/page/V3/OTP
* Remove unnecessary prefixes from ipa-pwd-extop filesNathaniel McCallum2013-05-175-6/+6
|
* ipa-pwd-extop: do not use dn until it is really setSumit Bose2013-04-021-20/+20
| | | | https://fedorahosted.org/freeipa/ticket/3539
* Remove build warningsMartin Kosek2013-03-291-1/+1
| | | | | | Fix rpm build warnings report in Fedora 19 build. https://fedorahosted.org/freeipa/ticket/3500
* Use new 389-ds-base cleartext password APIMartin Kosek2013-03-131-8/+12
| | | | | | | | | | The way how unhashed password is stored in the entry was changed in 389-ds-base-1.3.0, it is now stored in an entry extension rather than in a magic attribute unhashed#user#password. New API using an entry extension was introduced. ipa-pwd-extop should take advantage of the new API as the old one will be removed in 389-ds-base-1.3.1. https://fedorahosted.org/freeipa/ticket/3439
* ipa-pwd: Unchecked return value ipapwd_chpwop()Sumit Bose2013-02-281-1/+5
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3427
* Password change in a transaction, ensure passwords are truly expiredRob Crittenden2012-12-073-4/+34
| | | | | | | | | | Wrap the password change extop in a transaction. Fix the case where a password is reset and then immediately used. If done fast enough then the KDC may not detect that the password is expired and grant access using the expired password rather than prompting for a reset. https://fedorahosted.org/freeipa/ticket/1064
* Enable transactions by default, make password and modrdn TXN-awareRob Crittenden2012-11-214-0/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046
* Make encode_ntlm_keys() publicSumit Bose2012-09-062-196/+14
|
* Don't generate password history error if history is set to 0.Rob Crittenden2012-08-271-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2805
* Add special modify op to regen ipaNTHashSimo Sorce2012-07-301-3/+143
| | | | | | The NT Hash is the same thing as the RC4-HMAC key, so we add a function to extract it from krb5 keys if they are available to avoid forcing a password change when configuring trust relationships.
* Improve loops around slapi modsSimo Sorce2012-07-301-68/+62
| | | | | Avoid the need to allocate/free a Slapi_Mod and avoid checking for attribute equvalence after a match (use if/else)
* Fix wrong check after allocation.Simo Sorce2012-07-071-1/+1
|
* Fix migration code password setting.Simo Sorce2012-05-171-0/+11
| | | | | | | | When we set a password we also need to make sure krbExtraData is set. If not kadmin will later complain that the object is corrupted at password change time. Ticket: https://fedorahosted.org/freeipa/ticket/2764
* Improve password change error messageMartin Kosek2012-02-032-3/+3
| | | | | | | | | | | User always receives the same error message if he changes his password via "ipa passwd" command and the new password fails configured password policy. He then has to investigate on his own the actual reason why was the policy violated. This patch improves our SLAPI PWD plugins to provide a better error message explaining the violation reason. https://fedorahosted.org/freeipa/ticket/2067
* Make pwd-extop aware of new ipaNTHash attributeSumit Bose2011-12-065-29/+89
|
* Fix CID 10745: Unchecked return valueSimo Sorce2011-11-071-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2036
* Fix CID 10743: Unchecked return valueSimo Sorce2011-11-071-2/+8
| | | | https://fedorahosted.org/freeipa/ticket/2036
* ipa-pwd-extop: allow password change on all connections with SSF>1Sumit Bose2011-10-051-13/+6
| | | | | | | Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection the global SSF is checked for password changes and enrollments. https://fedorahosted.org/freeipa/ticket/1877
* ipa-pwd-extop: Enforce old password checksSimo Sorce2011-09-211-1/+64
| | | | | | | If a user is changing his own password, then require the old password to be sent for validation purposes. https://fedorahosted.org/freeipa/ticket/1814
* ipa-pwd-extop: Fix segfault in password change.Simo Sorce2011-09-211-0/+7
| | | | | Do not pass an empty buffer to ber_init() as it will assert. Check before hand and return an error.
* Fix typosYuri Chornoivan2011-09-075-6/+6
| | | | | | Fix "The the" and "classses" in FreeIPA code and messages. https://fedorahosted.org/freeipa/ticket/1480
* ipa-pwd-extop: Allow kadmin to set krb keysSimo Sorce2011-08-262-48/+100
| | | | | | | Prevent the ipa-pwd-extop plugin from re-generating keys when kadimn is storing a new set of keys. Only generate the userPassword and sambaXXPassword hashes. Also avoid checking policies in this case and if history is provided avoid regenerating the passwordHistory too.
* ipa-pwd-extop: Use common password policy codeSimo Sorce2011-08-264-448/+127
|
* ipa-pwd-extop: make encsalt parsing function commonSimo Sorce2011-08-261-91/+20
| | | | It is going to be used by the ipa-kdb module too.
* ipa-pwd-extop: Move encoding in common tooSimo Sorce2011-08-264-202/+50
| | | | Also to be used by ipa-kdb
* ipa-pwd-extop: Move encryption of keys in commonSimo Sorce2011-08-261-202/+9
| | | | This way we can reuse the same code from ipa-kdb later
* ipa-pwd-extop: Use common krb5 structs from kdb.hSimo Sorce2011-08-264-19/+14
| | | | This removes custom structures and allows easier sharing of code with ipa-kdb
* ipa-pwd-extop: re-indent code using old styleSimo Sorce2011-08-261-30/+30
|
* ipa-pwd-extop: Use the proper mkvno number in keysSimo Sorce2011-08-264-6/+6
| | | | | | | | Setting 0 will work as MIT KDCs assume the current master key when that is found. But it is a legacy compatibility mode and we should instead set the proper mkvno number on keys so changeing master key becomes possible w/o having to do a dump reload and stopping the service. This is especially important in replicated environments.
* ipa-pwd-extop: do not append mkvno to krbExtraDataSimo Sorce2011-08-261-9/+2
| | | | | mkvno is actually available as part of the key material. There is no need to store it in the krbExtraData field as it is unused there.
* ipa-pwd-extop: Remove unused variables and code to set themSimo Sorce2011-08-261-12/+0
|
* ipa-pwd_extop: use endian.h instead of nih functionSimo Sorce2011-08-263-10/+8
|
* Fix build warningsSimo Sorce2011-08-261-2/+2
| | | | Some are actual bugs.
* Don't set the password expiration to the current timeSimo Sorce2011-07-311-11/+14
| | | | This fixes a regression in the previous patch in ticket #1526.
* When setting a host password don't set krbPasswordExpiration.Rob Crittenden2011-07-291-8/+12
| | | | | | | This can cause problems if a host is enrolled, unenrolled and a password set. The password will be marked as expired like all new passwords are. https://fedorahosted.org/freeipa/ticket/1526
* Don't set krbLastPwdChange when setting a host OTP password.Rob Crittenden2011-07-183-37/+70
| | | | | | | | | | | | | | We have no visibility into whether an entry has a keytab or not so krbLastPwdChange is used as a rough guide. If this value exists during enrollment then it fails because the host is considered already joined. This was getting set when a OTP was added to a host that had already been enrolled (e.g. you enroll a host, unenroll it, set a OTP, then try to re-enroll). The second enrollment was failing because the enrollment plugin thought it was still enrolled becaused krbLastPwdChange was set. https://fedorahosted.org/freeipa/ticket/1357
* Reset failed login count to 0 when admin resets password.Rob Crittenden2011-07-131-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/1441
* Fix issues found by Coverity.Jan Cholasta2011-05-092-7/+30
| | | | tickets 1166, 1167, 1168, 1169
* Fix resource leaks.Simo Sorce2011-03-281-0/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1119
generated by cgit (git 2.34.1) at 2024-05-25 14:01:32 +0000