freeipa.git - FreeIPA project

	Commit message (Collapse)	Author	Age	Files	Lines
*	Add special modify op to regen ipaNTHash	Simo Sorce	2012-07-30	1	-3/+143
\| \| \| \| \| \|	The NT Hash is the same thing as the RC4-HMAC key, so we add a function to extract it from krb5 keys if they are available to avoid forcing a password change when configuring trust relationships.
*	Improve loops around slapi mods	Simo Sorce	2012-07-30	1	-68/+62
\| \| \| \| \|	Avoid the need to allocate/free a Slapi_Mod and avoid checking for attribute equvalence after a match (use if/else)
*	Do not check for DNA magic values	Simo Sorce	2012-07-26	2	-8/+0
\| \| \| \| \| \| \|	The DNA magic value can be arbitrarily changed by admins so we cannot use a const value to check. And we relly do not need to check at all. If the DNA plugin is broken and leaves magic values to reach the post-op stage we have bigger problems. So just simply get rid of this check.
*	Fix wrong check after allocation.	Simo Sorce	2012-07-07	1	-1/+1
\|
*	Add range check preop plugin	Sumit Bose	2012-06-29	4	-0/+503
\| \| \| \| \| \| \|	To make sure that ID ranges do not overlap this plugin checks new additions and changes for conflicts with existing ranges. https://fedorahosted.org/freeipa/ticket/2185
*	Use lower case names in LDAP to meet freeIPA convention	Sumit Bose	2012-06-29	1	-11/+11
\|
*	Add external domain extop DS plugin	Sumit Bose	2012-06-28	8	-0/+1180
\| \| \| \| \| \|	This extop can be used by clients of the IPA domain, e.g. sssd, to retrieve data from trusted external domains. It can be used e.g. to map Windows SIDs to user or groups names and back.
*	Add sidgen postop and task	Sumit Bose	2012-06-28	9	-0/+1377
\| \| \| \| \| \| \| \|	A postop plugin is added to create the SID for new created users and groups. A directory server task allows to set the SID for existing users and groups. Fixes https://fedorahosted.org/freeipa/ticket/2825
*	Normalize uid to lower case in winsync.	Rob Crittenden	2012-05-25	1	-1/+32
\| \| \| \| \| \|	This in effect fixes uid, krbPrincipalName and homeDir. https://fedorahosted.org/freeipa/ticket/2756
*	Fix migration code password setting.	Simo Sorce	2012-05-17	1	-0/+11
\| \| \| \| \| \| \| \|	When we set a password we also need to make sure krbExtraData is set. If not kadmin will later complain that the object is corrupted at password change time. Ticket: https://fedorahosted.org/freeipa/ticket/2764
*	Return LDAP_SUCCESS on mods on a referral entry.	Rob Crittenden	2012-05-11	1	-0/+9
\| \| \| \| \| \| \| \| \|	We currently return LDAP_REFERRAL which causes the mod to fail meaning that referral entries cannot be changed. All we really want to do is escape when we don't hvae an entry to modify. https://fedorahosted.org/freeipa/ticket/2237
*	Treat UPGs correctly in winsync replication	Martin Kosek	2012-03-15	2	-11/+91
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	IPA winsync plugin failed to replicate users when default user group was non-posix even though User Private Groups (UPG) were enabled on the server. Both their uidNumber and gidNumber were empty and they missed essential object classes. When the default user group was made posix and UPG was disabled it did not set gidNumber to the default group gidNumber. This patch improves this behavior to set gidNumber correctly according to UPG configuration and the default group status (posix/non-posix). 4 situations can occur, the following list specifies what value is assigned to user gidNumber: 1) Default group posix, UPG enabled: gidNumber = UPG gidNumber 2) Default group posix, UPG disabled: gidNumber = default group gidNumber 3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber 4) Default group non-posix, UPG disabled: an error is printed to the dirsrv log as the gidNumber cannot be retrieved. User is replicated in the same way as before this patch, i.e. without essential object classes. https://fedorahosted.org/freeipa/ticket/2436
*	Improve password change error message	Martin Kosek	2012-02-03	2	-3/+3
\| \| \| \| \| \| \| \| \| \| \|	User always receives the same error message if he changes his password via "ipa passwd" command and the new password fails configured password policy. He then has to investigate on his own the actual reason why was the policy violated. This patch improves our SLAPI PWD plugins to provide a better error message explaining the violation reason. https://fedorahosted.org/freeipa/ticket/2067
*	ipa-cldap: Support clients asking for default domain	Simo Sorce	2012-01-05	1	-1/+21
\|
*	Make pwd-extop aware of new ipaNTHash attribute	Sumit Bose	2011-12-06	5	-29/+89
\|
*	ipa-cldap: send cldap reply	Simo Sorce	2011-11-21	1	-0/+48
\|
*	ipa-cldap: Create netlogon blob	Simo Sorce	2011-11-21	4	-0/+344
\|
*	ipa-cldap: Decode CLDAP request.	Simo Sorce	2011-11-21	2	-0/+191
\|
*	ipa-cldap: Implement worker thread.	Simo Sorce	2011-11-21	2	-1/+81
\|
*	Create skeleton CLDAP server as a DS plugin	Simo Sorce	2011-11-21	6	-0/+425
\|
*	Fix CID 10745: Unchecked return value	Simo Sorce	2011-11-07	1	-1/+1
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/2036
*	Fix CID 10743: Unchecked return value	Simo Sorce	2011-11-07	1	-2/+8
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/2036
*	Fix CID 10742: Unchecked return value	Simo Sorce	2011-11-07	1	-1/+1
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/2036
*	ipa-pwd-extop: allow password change on all connections with SSF>1	Sumit Bose	2011-10-05	2	-26/+12
\| \| \| \| \| \| \|	Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection the global SSF is checked for password changes and enrollments. https://fedorahosted.org/freeipa/ticket/1877
*	ipa-pwd-extop: Enforce old password checks	Simo Sorce	2011-09-21	1	-1/+64
\| \| \| \| \| \| \|	If a user is changing his own password, then require the old password to be sent for validation purposes. https://fedorahosted.org/freeipa/ticket/1814
*	include <stdint.h> for uintptr_t	Marko Myllynen	2011-09-22	1	-0/+1
\|
*	ipa-pwd-extop: Fix segfault in password change.	Simo Sorce	2011-09-21	1	-0/+7
\| \| \| \| \|	Do not pass an empty buffer to ber_init() as it will assert. Check before hand and return an error.
*	The precendence on the modrdn plugin was set in the wrong location.	Rob Crittenden	2011-09-13	1	-0/+1
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/1370
*	Fix typos	Yuri Chornoivan	2011-09-07	14	-15/+15
\| \| \| \| \| \|	Fix "The the" and "classses" in FreeIPA code and messages. https://fedorahosted.org/freeipa/ticket/1480
*	ipa-pwd-extop: Allow kadmin to set krb keys	Simo Sorce	2011-08-26	2	-48/+100
\| \| \| \| \| \| \|	Prevent the ipa-pwd-extop plugin from re-generating keys when kadimn is storing a new set of keys. Only generate the userPassword and sambaXXPassword hashes. Also avoid checking policies in this case and if history is provided avoid regenerating the passwordHistory too.
*	ipa-pwd-extop: Use common password policy code	Simo Sorce	2011-08-26	4	-448/+127
\|
*	ipa-pwd-extop: make encsalt parsing function common	Simo Sorce	2011-08-26	1	-91/+20
\| \| \| \|	It is going to be used by the ipa-kdb module too.
*	ipa-pwd-extop: Move encoding in common too	Simo Sorce	2011-08-26	4	-202/+50
\| \| \| \|	Also to be used by ipa-kdb
*	ipa-pwd-extop: Move encryption of keys in common	Simo Sorce	2011-08-26	1	-202/+9
\| \| \| \|	This way we can reuse the same code from ipa-kdb later
*	ipa-pwd-extop: Use common krb5 structs from kdb.h	Simo Sorce	2011-08-26	4	-19/+14
\| \| \| \|	This removes custom structures and allows easier sharing of code with ipa-kdb
*	ipa-pwd-extop: re-indent code using old style	Simo Sorce	2011-08-26	1	-30/+30
\|
*	ipa-pwd-extop: Use the proper mkvno number in keys	Simo Sorce	2011-08-26	4	-6/+6
\| \| \| \| \| \| \| \|	Setting 0 will work as MIT KDCs assume the current master key when that is found. But it is a legacy compatibility mode and we should instead set the proper mkvno number on keys so changeing master key becomes possible w/o having to do a dump reload and stopping the service. This is especially important in replicated environments.
*	ipa-pwd-extop: do not append mkvno to krbExtraData	Simo Sorce	2011-08-26	1	-9/+2
\| \| \| \| \|	mkvno is actually available as part of the key material. There is no need to store it in the krbExtraData field as it is unused there.
*	ipa-pwd-extop: Remove unused variables and code to set them	Simo Sorce	2011-08-26	1	-12/+0
\|
*	ipa-pwd_extop: use endian.h instead of nih function	Simo Sorce	2011-08-26	3	-10/+8
\|
*	Fix build warnings	Simo Sorce	2011-08-26	3	-13/+15
\| \| \| \|	Some are actual bugs.
*	Fix thread deadlock by using pthreads library instead of NSPR.	Rob Crittenden	2011-08-24	2	-14/+12
\| \| \| \| \| \| \|	The 389-ds team is in the process of exposing slapi_rwlock which we will switch to when it is available. https://fedorahosted.org/freeipa/ticket/1630
*	Don't set the password expiration to the current time	Simo Sorce	2011-07-31	1	-11/+14
\| \| \| \|	This fixes a regression in the previous patch in ticket #1526.
*	When setting a host password don't set krbPasswordExpiration.	Rob Crittenden	2011-07-29	1	-8/+12
\| \| \| \| \| \| \|	This can cause problems if a host is enrolled, unenrolled and a password set. The password will be marked as expired like all new passwords are. https://fedorahosted.org/freeipa/ticket/1526
*	Don't set krbLastPwdChange when setting a host OTP password.	Rob Crittenden	2011-07-18	3	-37/+70
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	We have no visibility into whether an entry has a keytab or not so krbLastPwdChange is used as a rough guide. If this value exists during enrollment then it fails because the host is considered already joined. This was getting set when a OTP was added to a host that had already been enrolled (e.g. you enroll a host, unenroll it, set a OTP, then try to re-enroll). The second enrollment was failing because the enrollment plugin thought it was still enrolled becaused krbLastPwdChange was set. https://fedorahosted.org/freeipa/ticket/1357
*	Reset failed login count to 0 when admin resets password.	Rob Crittenden	2011-07-13	1	-0/+6
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/1441
*	memory leak in ipa_winsync_get_new_ds_user_dn_cb	Rich Megginson	2011-06-28	1	-0/+1
\| \| \| \| \|	The new_dn_string passed into this function is malloc'd. It must be freed before we reassign the value.
*	modify user deleted in AD crashes winsync	Rich Megginson	2011-06-28	1	-1/+8
\| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/freeipa/ticket/1382 crash in winsync if replaying a MOD and user does not exist in AD If the AD entry is deleted before the deletion can be synced back to IPA, and in the meantime an operation is performed on the corresponding entry in IPA that should be synced to AD, winsync attempts to get the AD entry and it is empty. This just means the operation will not go through, and the entry will be deleted when the sync from AD happens. The IPA winsync plugin needs to handle the case when the ad_entry is NULL.
*	winsync enables disabled users in AD	Rich Megginson	2011-06-28	1	-3/+5
\| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/freeipa/ticket/1379 winsync enables disabled users in AD when the AD entry changes This was likely broken when ipa switched from using CoS/groups for account inactivation to using nsAccountLock directly. The code that handled the account sync in the from AD direction was broken, but was never found before now because it had not been used. The fix is to correctly set or remove nsAccountLock.
*	Fix issues found by Coverity.	Jan Cholasta	2011-05-09	4	-14/+54
\| \| \| \|	tickets 1166, 1167, 1168, 1169