| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Commands ipa idrange-add / idrange-mod no longer allows the user
to enter primary or secondary rid range such that has non-zero
intersection with primary or secondary rid range of another
existing id range, as this could cause collision.
Unit tests added to test_range_plugin.py
https://fedorahosted.org/freeipa/ticket/3086
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3166
|
| |
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3104
|
|
|
|
|
|
|
|
|
|
|
| |
This will sync down the POSIX attributes from AD so we need to be careful
to not mess with them when they are already set. This includes
uidNumber, gidNumber, homeDirectory, loginShell and gecos.
http://port389.org/wiki/WinSync_Posix
http://port389.org/wiki/Windows_Sync_Plugin_API#Version_3_API_functions
https://fedorahosted.org/freeipa/ticket/3007
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2953
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2805
|
| |
|
|
|
|
|
|
| |
The NT Hash is the same thing as the RC4-HMAC key, so we add a function to
extract it from krb5 keys if they are available to avoid forcing a password
change when configuring trust relationships.
|
|
|
|
|
| |
Avoid the need to allocate/free a Slapi_Mod and avoid checking for attribute
equvalence after a match (use if/else)
|
|
|
|
|
|
|
| |
The DNA magic value can be arbitrarily changed by admins so we cannot use a
const value to check. And we relly do not need to check at all. If the DNA
plugin is broken and leaves magic values to reach the post-op stage we have
bigger problems. So just simply get rid of this check.
|
| |
|
|
|
|
|
|
|
| |
To make sure that ID ranges do not overlap this plugin checks new
additions and changes for conflicts with existing ranges.
https://fedorahosted.org/freeipa/ticket/2185
|
| |
|
|
|
|
|
|
| |
This extop can be used by clients of the IPA domain, e.g. sssd, to
retrieve data from trusted external domains. It can be used e.g. to map
Windows SIDs to user or groups names and back.
|
|
|
|
|
|
|
|
| |
A postop plugin is added to create the SID for new created users and
groups. A directory server task allows to set the SID for existing
users and groups.
Fixes https://fedorahosted.org/freeipa/ticket/2825
|
|
|
|
|
|
| |
This in effect fixes uid, krbPrincipalName and homeDir.
https://fedorahosted.org/freeipa/ticket/2756
|
|
|
|
|
|
|
|
| |
When we set a password we also need to make sure krbExtraData is set.
If not kadmin will later complain that the object is corrupted at password
change time.
Ticket: https://fedorahosted.org/freeipa/ticket/2764
|
|
|
|
|
|
|
|
|
| |
We currently return LDAP_REFERRAL which causes the mod to fail meaning
that referral entries cannot be changed.
All we really want to do is escape when we don't hvae an entry to modify.
https://fedorahosted.org/freeipa/ticket/2237
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA winsync plugin failed to replicate users when default user group
was non-posix even though User Private Groups (UPG) were enabled
on the server. Both their uidNumber and gidNumber were empty and
they missed essential object classes. When the default user group
was made posix and UPG was disabled it did not set gidNumber to
the default group gidNumber.
This patch improves this behavior to set gidNumber correctly
according to UPG configuration and the default group status
(posix/non-posix). 4 situations can occur, the following list
specifies what value is assigned to user gidNumber:
1) Default group posix, UPG enabled: gidNumber = UPG gidNumber
2) Default group posix, UPG disabled: gidNumber = default
group gidNumber
3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
4) Default group non-posix, UPG disabled: an error is printed to
the dirsrv log as the gidNumber cannot be retrieved. User
is replicated in the same way as before this patch, i.e.
without essential object classes.
https://fedorahosted.org/freeipa/ticket/2436
|
|
|
|
|
|
|
|
|
|
|
| |
User always receives the same error message if he changes his password
via "ipa passwd" command and the new password fails configured
password policy. He then has to investigate on his own the actual
reason why was the policy violated. This patch improves our SLAPI PWD
plugins to provide a better error message explaining the violation
reason.
https://fedorahosted.org/freeipa/ticket/2067
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2036
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2036
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2036
|
|
|
|
|
|
|
| |
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.
https://fedorahosted.org/freeipa/ticket/1877
|
|
|
|
|
|
|
| |
If a user is changing his own password, then require the old password to be
sent for validation purposes.
https://fedorahosted.org/freeipa/ticket/1814
|
| |
|
|
|
|
|
| |
Do not pass an empty buffer to ber_init() as it will assert.
Check before hand and return an error.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1370
|
|
|
|
|
|
| |
Fix "The the" and "classses" in FreeIPA code and messages.
https://fedorahosted.org/freeipa/ticket/1480
|
|
|
|
|
|
|
| |
Prevent the ipa-pwd-extop plugin from re-generating keys when kadimn is storing
a new set of keys. Only generate the userPassword and sambaXXPassword hashes.
Also avoid checking policies in this case and if history is provided avoid
regenerating the passwordHistory too.
|
| |
|
|
|
|
| |
It is going to be used by the ipa-kdb module too.
|
|
|
|
| |
Also to be used by ipa-kdb
|
|
|
|
| |
This way we can reuse the same code from ipa-kdb later
|
|
|
|
| |
This removes custom structures and allows easier sharing of code with ipa-kdb
|
| |
|
|
|
|
|
|
|
|
| |
Setting 0 will work as MIT KDCs assume the current master key when that is
found. But it is a legacy compatibility mode and we should instead set the
proper mkvno number on keys so changeing master key becomes possible w/o
having to do a dump reload and stopping the service. This is especially
important in replicated environments.
|
|
|
|
|
| |
mkvno is actually available as part of the key material.
There is no need to store it in the krbExtraData field as it is unused there.
|
| |
|
| |
|
|
|
|
| |
Some are actual bugs.
|