| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This prevents the reuse of TOTP tokens by recording the last token
interval that was used. This will be replicated as normal. However,
this patch does not increase the number of writes to the database
in the standard authentication case. This is because it also
eliminates an unnecessary write during authentication. Hence, this
patch should be write-load neutral with the existing code.
Further performance enhancement is desired, but is outside the
scope of this patch.
https://fedorahosted.org/freeipa/ticket/4410
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
| |
Wrong error message would be used for in case of
RANGE_CHECK_DIFFERENT_TYPE_IN_DOMAIN. Missing break will cause fall through to
the default section.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A mixture of implicit and explicit tagging was being used and this caused
a bug in retrieving the enctype number due to the way ber_scanf() loosely
treat sequences and explicit tagging.
The ASN.1 notation used to describe the getkeytab operation uses implicit
tagging, so by changing the code we simply follow to the specified encoding.
Resolves: https://fedorahosted.org/freeipa/ticket/4404
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.
Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.
For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:
(targetattr="ipaProtectedOperation;read_keys") ...
... userattr=ipaAllowedToPerform;read_keys#USERDN)
This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.
Resolves:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Make it available outside of the encoding.c file for use in a follow-up
patch. Add option to not pass a password and generate a random key
instead.
Related:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
|
|
|
|
|
| |
In preparation of adding another function to avoid code duplication.
Related:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
|
|
|
|
| |
This change has two motivations:
1. Clients don't have to parse the string.
2. Future token types may have new formats.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6.
Forceful validation of password expiration date in a BIND pre-callback
breaks LDAP password change extended operation as the password change
is only allowed via authenticated (bound) channel. Passwords could be
only changed via kadmin protocol. This change would thus break
LDAP-only clients and Web UI password change hook.
This patch will need to be revisited so that unauthenicated corner
cases are also revisited.
https://fedorahosted.org/freeipa/ticket/1539
|
|
|
|
|
|
|
|
| |
If the password is expired fail a password bind.
Resolves: https://fedorahosted.org/freeipa/ticket/1539
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a check for krbprincipalexpiration attribute to pre_bind operation
in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is
denied and LDAP_UNWILLING_TO_PERFORM along with the error message is
sent back to the client. Since krbprincipalexpiration attribute is not
mandatory, if there is no value set, the check is passed.
https://fedorahosted.org/freeipa/ticket/3305
Reviewed-By: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
range_check_result_t enum
Using integers for return values that are used for complex casing can be fragile
and typo-prone. Change range_check function to return range_check_result_t enum,
whose values properly describes each of the range_check results.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
When building the domain to forest root map, we need to take the case
of IPA server having no trusted domains configured at all. Do not abort
the checks, but return an empty map instead.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
struct
Not making a new copy of this attribute creates multiple frees caused by multiple
pointers to the same forest_root_id from all the range_info structs for all the
domains belonging to given forest.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The slapi_entry_attr_get_ulong which is used to get value of the RID base
attributes returns 0 in case the attribute is not set at all. We need
to distinguish this situation from the situation where RID base attributes
are present, but deliberately set to 0.
Otherwise this can cause false negative results of checks in the range_check
plugin.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ipa-range-check plugin used to determine the range type depending
on the value of the attributes such as RID or secondary RID base. This
approached caused variety of issues since the portfolio of ID range
types expanded.
The patch makes sure the following rules are implemented:
* No ID range pair can overlap on base ranges, with exception
of two ipa-ad-trust-posix ranges belonging to the same forest
* For any ID range pair of ranges belonging to the same domain:
* Both ID ranges must be of the same type
* For ranges of ipa-ad-trust type or ipa-local type:
* Primary RID ranges can not overlap
* For ranges of ipa-local type:
* Primary and secondary RID ranges can not overlap
* Secondary RID ranges cannot overlap
For the implementation part, the plugin was extended with a domain ID
to forest root domain ID mapping derivation capabilities.
https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
| |
When cleaning the range_info struct, simple free of the struct
is not enough, we have to free contents of char pointers in the
struct as well.
https://fedorahosted.org/freeipa/ticket/4276
|
|
|
|
|
|
| |
We need to free the entry before returning from the function.
https://fedorahosted.org/freeipa/ticket/4295
|
|
|
|
|
| |
Resolves: https://fedorahosted.org/freeipa/ticket/4264
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
|
| |
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4105
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
| |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This plugin prevents the deletion or deactivation of the last
valid token for a user. This prevents the user from migrating
back to single factor authentication once OTP has been enabled.
Thanks to Mark Reynolds for helping me with this patch.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
| |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
| |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
When ipa-lockout plugin is started during FreeIPA server installation,
the default realm may not be available and plugin should then not end
with failure.
Similarly to other plugins, start in degraded mode in this situation.
Operation is fully restored during the final services restart.
https://fedorahosted.org/freeipa/ticket/4085
|
|
|
|
|
|
|
|
|
|
| |
krbPwdPolicyReference is no longer filled default users. Instead, plugins
fallback to hardcoded global policy reference.
Fix ipa-lockout plugin to fallback to it instead of failing to apply
the policy.
https://fedorahosted.org/freeipa/ticket/4085
|
|
|
|
| |
Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
|
| |
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/4116
|
|
|
|
|
|
|
|
|
|
|
| |
The KDB driver does not walk the tree back like the original password plugin.
Also we do not store the default policy in the base DN as we used to do in the
past anymore.
So doing a full subtree search and walking back the tree is just a waste of
time.
Instead hardcode the default policy like we do in the kdb driver.
Fixes: https://fedorahosted.org/freeipa/ticket/4085
|
|
|
|
|
|
|
|
|
| |
For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in
the PDC NetBIOS name. In general AD seems to be smart enough to handle
the two \ signs. But if the NetBIOS name reaches the maximum of 15
character AD does not accept the responses anymore.
Fixes https://fedorahosted.org/freeipa/ticket/4028
|
|
|
|
|
|
|
|
| |
The CLDAP DS plugin uses the uppercased first segment of the fully
qualified hostname as the NetBIOS name. We need to limit its size
to 15 characters.
https://fedorahosted.org/freeipa/ticket/4028
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3896
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3896
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4056
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3795
|
|
|
|
|
|
|
| |
Some error strings were duplicate which makes it then harder to
see what is the real root cause of it.
https://fedorahosted.org/freeipa/ticket/3988
|
|
|
|
|
|
|
|
|
| |
When Directory Manager or a PassSync agent is changing a password,
it is not being expired, but standard expiration time should apply.
However, default expiration time was always applied (90 days)
even though administrator may have a custom policy for the user.
https://fedorahosted.org/freeipa/ticket/3968
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos
key is available for the corresponding user. This is typically triggered
by samba via the ipa_sam passdb plugin. The principal used by samba to
connect to the IPA directory server has the right to modify ipaNTHash
but no other password attribute. This means that the current check on
the userPassword attribute is too strict for this case and leads to a
failure of the whole operation.
With this patch the access right on ipaNTHash are checked if no other
password operations are requested.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3953
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the CLDAP plugin determines the IPA domain name by reading
the current host name and splitting of the domain part. But since an IPA
server does not have to be in a DNS domain which has the same name as
the IPA domain this may fail. The domain name was used to search the
ipaNTDomainAttrs object, but since this object is unique in the tree it
is sufficient to use the objectclass in the search filter. Now the IPA
domain can be read from the ipaNTDomainAttrs object as well.
Fixes https://fedorahosted.org/freeipa/ticket/3941
|
| |
|
| |
|
|
|
|
|
|
| |
If ipa_cldap_decode() reply is not initialized.
Fixes https://fedorahosted.org/freeipa/ticket/3885
|
|
|
|
|
|
|
|
| |
There is no risk of crash here as slapi_valueset_first_value() can handle
the case where the valueset is NULL, but there is no point in calling that
if we know there are no values.
https://fedorahosted.org/freeipa/ticket/3880
|
|
|
|
|
|
|
|
|
| |
CoverityID: 11904
Also remove 'inline', the compiler can do it on its own if needed.
Fixes:
https://fedorahosted.org/freeipa/ticket/3882
|
|
|
|
| |
Variable was set, but it was not used.
|
| |
|