summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-slapi-plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* Use new 389-ds-base cleartext password APIMartin Kosek2013-03-131-8/+12
| | | | | | | | | | The way how unhashed password is stored in the entry was changed in 389-ds-base-1.3.0, it is now stored in an entry extension rather than in a magic attribute unhashed#user#password. New API using an entry extension was introduced. ipa-pwd-extop should take advantage of the new API as the old one will be removed in 389-ds-base-1.3.1. https://fedorahosted.org/freeipa/ticket/3439
* Change DNA magic value to -1 to make UID 999 usablePetr Viktorin2013-03-111-2/+2
| | | | | | | | | | | | | Change user-add's uid & gid parameters from autofill to optional. Change the DNA magic value to -1. For old clients, which will still send 999 when they want DNA assignment, translate the 999 to -1. This is done via a new capability, optional_uid_params. Tests included https://fedorahosted.org/freeipa/ticket/2886
* Perform secondary rid range overlap check for local ranges onlyTomas Babej2013-03-111-16/+25
| | | | | | | | | | | Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges. https://fedorahosted.org/freeipa/ticket/3391
* ipa-pwd: Unchecked return value ipapwd_chpwop()Sumit Bose2013-02-281-1/+5
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3427
* ipa-extdom: Double-free in ipa_extdom_common.cSumit Bose2013-02-281-1/+0
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3426
* ipa-lockout: Wrong sizeof argument in ipa_lockout.cSumit Bose2013-02-281-1/+1
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3425
* Password change in a transaction, ensure passwords are truly expiredRob Crittenden2012-12-073-4/+34
| | | | | | | | | | Wrap the password change extop in a transaction. Fix the case where a password is reset and then immediately used. If done fast enough then the KDC may not detect that the password is expired and grant access using the expired password rather than prompting for a reset. https://fedorahosted.org/freeipa/ticket/1064
* Honor the kdb options disabling KDC writes in ipa_lockout pluginRob Crittenden2012-12-051-1/+119
| | | | | | | | | | | | | Ther3 are two global ipaConfig options to disable undesirable writes that have performance impact. The "KDC:Disable Last Success" will disable writing back to ldap the last successful AS Request time (successful kinit) The "KDC:Disable Lockout" will disable completely writing back lockout related data. This means lockout policies will stop working. https://fedorahosted.org/freeipa/ticket/2734
* Enable transactions by default, make password and modrdn TXN-awareRob Crittenden2012-11-216-5/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046
* Forbid overlapping primary and secondary rid rangesTomas Babej2012-10-191-14/+97
| | | | | | | | | | | Commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086
* extdom: handle INP_POSIX_UID and INP_POSIX_GID requestsSumit Bose2012-10-181-6/+32
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3166
* Fix various issues found by CoveritySumit Bose2012-10-175-11/+21
|
* Add SIDs for existing users and groups at the end of ipa-adtrust-installSumit Bose2012-10-043-10/+11
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3104
* Support the new Winsync POSIX API.Rob Crittenden2012-09-061-6/+50
| | | | | | | | | | | This will sync down the POSIX attributes from AD so we need to be careful to not mess with them when they are already set. This includes uidNumber, gidNumber, homeDirectory, loginShell and gecos. http://port389.org/wiki/WinSync_Posix http://port389.org/wiki/Windows_Sync_Plugin_API#Version_3_API_functions https://fedorahosted.org/freeipa/ticket/3007
* Make encode_ntlm_keys() publicSumit Bose2012-09-062-196/+14
|
* Change slapi_mods_init in ipa_winsync_pre_ad_mod_user_mods_cbTomas Babej2012-09-041-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2953
* Don't generate password history error if history is set to 0.Rob Crittenden2012-08-271-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2805
* extdom: read ranges from LDAPSumit Bose2012-08-151-0/+72
|
* Add special modify op to regen ipaNTHashSimo Sorce2012-07-301-3/+143
| | | | | | The NT Hash is the same thing as the RC4-HMAC key, so we add a function to extract it from krb5 keys if they are available to avoid forcing a password change when configuring trust relationships.
* Improve loops around slapi modsSimo Sorce2012-07-301-68/+62
| | | | | Avoid the need to allocate/free a Slapi_Mod and avoid checking for attribute equvalence after a match (use if/else)
* Do not check for DNA magic valuesSimo Sorce2012-07-262-8/+0
| | | | | | | The DNA magic value can be arbitrarily changed by admins so we cannot use a const value to check. And we relly do not need to check at all. If the DNA plugin is broken and leaves magic values to reach the post-op stage we have bigger problems. So just simply get rid of this check.
* Fix wrong check after allocation.Simo Sorce2012-07-071-1/+1
|
* Add range check preop pluginSumit Bose2012-06-294-0/+503
| | | | | | | To make sure that ID ranges do not overlap this plugin checks new additions and changes for conflicts with existing ranges. https://fedorahosted.org/freeipa/ticket/2185
* Use lower case names in LDAP to meet freeIPA conventionSumit Bose2012-06-291-11/+11
|
* Add external domain extop DS pluginSumit Bose2012-06-288-0/+1180
| | | | | | This extop can be used by clients of the IPA domain, e.g. sssd, to retrieve data from trusted external domains. It can be used e.g. to map Windows SIDs to user or groups names and back.
* Add sidgen postop and taskSumit Bose2012-06-289-0/+1377
| | | | | | | | A postop plugin is added to create the SID for new created users and groups. A directory server task allows to set the SID for existing users and groups. Fixes https://fedorahosted.org/freeipa/ticket/2825
* Normalize uid to lower case in winsync.Rob Crittenden2012-05-251-1/+32
| | | | | | This in effect fixes uid, krbPrincipalName and homeDir. https://fedorahosted.org/freeipa/ticket/2756
* Fix migration code password setting.Simo Sorce2012-05-171-0/+11
| | | | | | | | When we set a password we also need to make sure krbExtraData is set. If not kadmin will later complain that the object is corrupted at password change time. Ticket: https://fedorahosted.org/freeipa/ticket/2764
* Return LDAP_SUCCESS on mods on a referral entry.Rob Crittenden2012-05-111-0/+9
| | | | | | | | | We currently return LDAP_REFERRAL which causes the mod to fail meaning that referral entries cannot be changed. All we really want to do is escape when we don't hvae an entry to modify. https://fedorahosted.org/freeipa/ticket/2237
* Treat UPGs correctly in winsync replicationMartin Kosek2012-03-152-11/+91
| | | | | | | | | | | | | | | | | | | | | | | | IPA winsync plugin failed to replicate users when default user group was non-posix even though User Private Groups (UPG) were enabled on the server. Both their uidNumber and gidNumber were empty and they missed essential object classes. When the default user group was made posix and UPG was disabled it did not set gidNumber to the default group gidNumber. This patch improves this behavior to set gidNumber correctly according to UPG configuration and the default group status (posix/non-posix). 4 situations can occur, the following list specifies what value is assigned to user gidNumber: 1) Default group posix, UPG enabled: gidNumber = UPG gidNumber 2) Default group posix, UPG disabled: gidNumber = default group gidNumber 3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber 4) Default group non-posix, UPG disabled: an error is printed to the dirsrv log as the gidNumber cannot be retrieved. User is replicated in the same way as before this patch, i.e. without essential object classes. https://fedorahosted.org/freeipa/ticket/2436
* Improve password change error messageMartin Kosek2012-02-032-3/+3
| | | | | | | | | | | User always receives the same error message if he changes his password via "ipa passwd" command and the new password fails configured password policy. He then has to investigate on his own the actual reason why was the policy violated. This patch improves our SLAPI PWD plugins to provide a better error message explaining the violation reason. https://fedorahosted.org/freeipa/ticket/2067
* ipa-cldap: Support clients asking for default domainSimo Sorce2012-01-051-1/+21
|
* Make pwd-extop aware of new ipaNTHash attributeSumit Bose2011-12-065-29/+89
|
* ipa-cldap: send cldap replySimo Sorce2011-11-211-0/+48
|
* ipa-cldap: Create netlogon blobSimo Sorce2011-11-214-0/+344
|
* ipa-cldap: Decode CLDAP request.Simo Sorce2011-11-212-0/+191
|
* ipa-cldap: Implement worker thread.Simo Sorce2011-11-212-1/+81
|
* Create skeleton CLDAP server as a DS pluginSimo Sorce2011-11-216-0/+425
|
* Fix CID 10745: Unchecked return valueSimo Sorce2011-11-071-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2036
* Fix CID 10743: Unchecked return valueSimo Sorce2011-11-071-2/+8
| | | | https://fedorahosted.org/freeipa/ticket/2036
* Fix CID 10742: Unchecked return valueSimo Sorce2011-11-071-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2036
* ipa-pwd-extop: allow password change on all connections with SSF>1Sumit Bose2011-10-052-26/+12
| | | | | | | Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection the global SSF is checked for password changes and enrollments. https://fedorahosted.org/freeipa/ticket/1877
* ipa-pwd-extop: Enforce old password checksSimo Sorce2011-09-211-1/+64
| | | | | | | If a user is changing his own password, then require the old password to be sent for validation purposes. https://fedorahosted.org/freeipa/ticket/1814
* include <stdint.h> for uintptr_tMarko Myllynen2011-09-221-0/+1
|
* ipa-pwd-extop: Fix segfault in password change.Simo Sorce2011-09-211-0/+7
| | | | | Do not pass an empty buffer to ber_init() as it will assert. Check before hand and return an error.
* The precendence on the modrdn plugin was set in the wrong location.Rob Crittenden2011-09-131-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/1370
* Fix typosYuri Chornoivan2011-09-0714-15/+15
| | | | | | Fix "The the" and "classses" in FreeIPA code and messages. https://fedorahosted.org/freeipa/ticket/1480
* ipa-pwd-extop: Allow kadmin to set krb keysSimo Sorce2011-08-262-48/+100
| | | | | | | Prevent the ipa-pwd-extop plugin from re-generating keys when kadimn is storing a new set of keys. Only generate the userPassword and sambaXXPassword hashes. Also avoid checking policies in this case and if history is provided avoid regenerating the passwordHistory too.
* ipa-pwd-extop: Use common password policy codeSimo Sorce2011-08-264-448/+127
|
* ipa-pwd-extop: make encsalt parsing function commonSimo Sorce2011-08-261-91/+20
| | | | It is going to be used by the ipa-kdb module too.
generated by cgit (git 2.34.1) at 2025-09-01 19:56:20 +0000