| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1441
|
| |
|
|
|
| |
The new_dn_string passed into this function is malloc'd. It
must be freed before we reassign the value.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1382
crash in winsync if replaying a MOD and user does not exist in AD
If the AD entry is deleted before the deletion can be synced back to IPA,
and in the meantime an operation is performed on the corresponding
entry in IPA that should be synced to AD, winsync attempts to get the
AD entry and it is empty. This just means the operation will not go
through, and the entry will be deleted when the sync from AD happens.
The IPA winsync plugin needs to handle the case when the ad_entry
is NULL.
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1379
winsync enables disabled users in AD when the AD entry changes
This was likely broken when ipa switched from using CoS/groups for account
inactivation to using nsAccountLock directly. The code that handled the
account sync in the from AD direction was broken, but was never found before
now because it had not been used. The fix is to correctly set or remove
nsAccountLock.
|
| |
|
|
| |
tickets 1166, 1167, 1168, 1169
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/1119
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1118
|
| |
|
|
|
|
| |
directly change nsAccountLock on the entry if they are not used
Fixes: https://fedorahosted.org/freeipa/ticket/1021
|
| |
|
|
|
|
|
|
|
| |
We need to set uidNumber and gidNumber to the magic values so that DNA can
assign appropriate Ids, otherwise the synchronization of users from AD will
fail with an error about posixAccount requiring a missing (uidNumber)
attribute.
Fixes: https://fedorahosted.org/freeipa/ticket/1020
|
| |
|
|
|
|
| |
Fix RDN construction.
Fixes: https://fedorahosted.org/freeipa/ticket/1015
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/266
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the UUID plug-in generates a value that is used in the RDN
of the entry being added, the old DN is free'd and replaced with
the new DN. The problem is that the operation in the pblock holds
a pointer to the old DN address. This can cause other plug-ins to
reference garbage, leading to incorrect results or crashes. This
was causing the attribute uniqueness plug-in to not work correctly,
resulting in duplicate netgroup entries.
The fix is to have the UUID plug-in reset the target DN after
changing the DN of the entry to be added.
ticket 963
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently we forgot to check OID consistency between the schema and the
extensions, and we got duplicates.
Technically the schema was done later but it is easier to change the extensions
OIDs than to change the schema of current beta2/rc1 installations.
The only side effect is that older ipa-getkeytab and ipa-join binaries will
fail. So all the admin/client tools must be upgraded at the same time as well
as all the masters (otherwise some will show/accept the new OID while others
won't).
Fixes: https://fedorahosted.org/freeipa/ticket/976
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The situation is if during installation /etc/krb5.conf either doesn't
exist or configures no realms then 389-ds won't start up at all, causing
the installation to fail. This will let the server start up in a degraded
mode.
Also need to make the sub_dict in ldapupdate.py handle no realm otherwise
the installation will abort enabling the compat plugin.
ticket 606
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/949
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/937
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 389-ds replication plugin may not be installed on all platforms
and our replication version plugin will cause 389-ds to not start
if it is loaded and the replication plugin is not. So disable by
default.
When a replica is prepared we check for the replication plugin.
If it exists we will enable the replication version plugin.
Likewise on installation of a replica we check for existence of
the repliation plugin and if it is there then we enable the version
plugin before replication begins.
ticket 918
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth
and will potentially fail the bind altogether.
On a successful bind it will zero krbLoginFailedCount and set
krbLastSuccessfulAuth.
This will also enforce locked-out accounts.
See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
kerberos lockout.
ticket 343
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/813
|
| |
|
|
|
|
|
|
| |
Mozldap code removed from all sources and configure source script.
Now, IPA will compile even when package mozldap-devel is not
installed on the system.
https://fedorahosted.org/freeipa/ticket/756
|
| |
|
|
|
|
|
| |
Return values weren't checked in several cases which could
have lead to unhandled errors.
https://fedorahosted.org/freeipa/ticket/722
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes several potential memory leaks in ipa-pwd-extop
SLAPI plugin.
Common function ipapwd_gen_hashes() now cleans after itself when
it fails. Other changes are local and self-explanatory.
https://fedorahosted.org/freeipa/ticket/715
|
| |
|
|
|
|
|
| |
This patch increases robustness in PRE MOD password SLAPI module
by ensuring that an uninitialized pointer is not dereferenced.
https://fedorahosted.org/freeipa/ticket/719
|
| |
|
|
|
|
|
|
| |
Omiting return value of calloc in ipa_pwd_extop.c could lead to
memory access issues when memory is full. This patch adds return
value check.
https://fedorahosted.org/freeipa/ticket/717
|
| |
|
|
|
|
|
| |
This patch fixes a situation where an uninitialized pointer
is passed to free().
https://fedorahosted.org/freeipa/ticket/713
|
| |
|
|
|
|
|
|
|
| |
Remove the LDAP_DEPRECATED constant and do not use functions that are
marked as deprecated in recent OpenLDAP releases. Also always define
WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that
depend on that constant.
https://fedorahosted.org/freeipa/ticket/576
|
| |
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Constant values were assigned to variables gthat would later be freed
with slapi_ch_free_string(). Make copies instead so the free doesn't
blow. Also remove useless tests, as these functions already check for
NULL on their own.
Fixes: https://fedorahosted.org/freeipa/ticket/529
|
| |
|
|
| |
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Don't use KRB5_PRIVATE.
The patch implements and uses the following krb5 functions that are
otherwise private in recent MIT Kerberos releases:
* krb5_principal2salt_norealm
* krb5_free_ktypes
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
| |
Use a little stricter compilation flags, in particular -Wall and treat
implicit function declarations as errors.
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Consolidate the common logging macros into common/util.h and use them
in SLAPI plugins instead of calling slapi_log_error() directly.
https://fedorahosted.org/freeipa/ticket/408
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The DS guys decided not to expose the DS inetrnal functions used to generate
UUIDs for DS. This means the interface is not guaranteed to be available.
Switch the ipa_uuid plugin to use the system libuuid plugin instead.
NOTE: This causes once again a change in the tring format used for UUIDs.
fixes: https://fedorahosted.org/freeipa/ticket/465
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/468
|
| |
|
|
|
|
|
| |
This should make renamed users able to keep using old credentials as the salt
is not derived from the principal name but is always a random quantity.
https://fedorahosted.org/freeipa/ticket/412
|
| | |
|
| |
|
|
|
|
|
| |
If a modify operation does not specify our attribute then we need to short
circuit the loop, otherwise on enforcing we will return an error by mistake if
we are not Directory Manager because generate is false if the attr is not
found.
|
| | |
|
| |
|
|
|
|
|
| |
By setting the enforce flag in the configuration we prevent anyone from storing
arbitrary values and allow only Directory Manager to override the plugin.
Users can only set the value to the magic value (usually 0) to have the uuid
regenerated, and nothing else.
|
| |
|
|
|
|
| |
Remove one level of indentation from the main function by jumping
to the end immediately if the configuration list is empty.
Other minor style cleanups.
|
| |
|
|
|
| |
This allows the code in the for loop to error out without worrying of
forgetting to unlock the config entries.
|
| |
|
|
|
| |
Avoid false positives if more than one uuid attribute is generated
in the same entry.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Provide simplified logging macros that appropriately use __func__ __FILE__,
__LINE__, or the plugin name depending on the log level.
|
