summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-slapi-plugins
Commit message (Collapse)AuthorAgeFilesLines
* Add TOTP watermark supportNathaniel McCallum2014-07-251-73/+86
| | | | | | | | | | | | | | | | This prevents the reuse of TOTP tokens by recording the last token interval that was used. This will be replicated as normal. However, this patch does not increase the number of writes to the database in the standard authentication case. This is because it also eliminates an unnecessary write during authentication. Hence, this patch should be write-load neutral with the existing code. Further performance enhancement is desired, but is outside the scope of this patch. https://fedorahosted.org/freeipa/ticket/4410 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add missing breakLukas Slebodnik2014-07-141-0/+1
| | | | | | | | Wrong error message would be used for in case of RANGE_CHECK_DIFFERENT_TYPE_IN_DOMAIN. Missing break will cause fall through to the default section. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix getkeytab code to always use implicit tagging.Simo Sorce2014-06-271-5/+5
| | | | | | | | | | | | | | A mixture of implicit and explicit tagging was being used and this caused a bug in retrieving the enctype number due to the way ber_scanf() loosely treat sequences and explicit tagging. The ASN.1 notation used to describe the getkeytab operation uses implicit tagging, so by changing the code we simply follow to the specified encoding. Resolves: https://fedorahosted.org/freeipa/ticket/4404 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* keytab: Add new extended operation to get a keytab.Simo Sorce2014-06-261-0/+571
| | | | | | | | | | | | | | | | | | | | | | | | | | | This new extended operation allow to create new keys or retrieve existing ones. The new set of keys is returned as a ASN.1 structure similar to the one that is passed in by the 'set keytab' extended operation. Access to the operation is regulated through a new special ACI that allows 'retrieval' only if the user has access to an attribute named ipaProtectedOperation postfixed by the subtypes 'read_keys' and 'write_keys' to distinguish between creation and retrieval operation. For example for allowing retrieval by a specific user the following ACI is set on cn=accounts: (targetattr="ipaProtectedOperation;read_keys") ... ... userattr=ipaAllowedToPerform;read_keys#USERDN) This ACI matches only if the service object hosts a new attribute named ipaAllowedToPerform that holds the DN of the user attempting the operation. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* keytabs: Expose and modify key encoding functionSimo Sorce2014-06-262-7/+19
| | | | | | | | | | | Make it available outside of the encoding.c file for use in a follow-up patch. Add option to not pass a password and generate a random key instead. Related: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* keytabs: Modularize setkeytab operationSimo Sorce2014-06-261-477/+611
| | | | | | | | | In preparation of adding another function to avoid code duplication. Related: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Change OTPSyncRequest structure to use OctetStringNathaniel McCallum2014-06-255-56/+79
| | | | | | | | This change has two motivations: 1. Clients don't have to parse the string. 2. Future token types may have new formats. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Revert "Check for password expiration in pre-bind"Martin Kosek2014-06-101-29/+4
| | | | | | | | | | | | | | | This reverts commit bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6. Forceful validation of password expiration date in a BIND pre-callback breaks LDAP password change extended operation as the password change is only allowed via authenticated (bound) channel. Passwords could be only changed via kadmin protocol. This change would thus break LDAP-only clients and Web UI password change hook. This patch will need to be revisited so that unauthenicated corner cases are also revisited. https://fedorahosted.org/freeipa/ticket/1539
* Check for password expiration in pre-bindSimo Sorce2014-06-091-4/+29
| | | | | | | | If the password is expired fail a password bind. Resolves: https://fedorahosted.org/freeipa/ticket/1539 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* ipa-pwd-extop: Deny LDAP binds for accounts with expired principalsTomas Babej2014-05-051-1/+34
| | | | | | | | | | | | | Adds a check for krbprincipalexpiration attribute to pre_bind operation in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is denied and LDAP_UNWILLING_TO_PERFORM along with the error message is sent back to the client. Since krbprincipalexpiration attribute is not mandatory, if there is no value set, the check is passed. https://fedorahosted.org/freeipa/ticket/3305 Reviewed-By: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa_range_check: Change range_check return values from int to ↵Tomas Babej2014-04-231-16/+26
| | | | | | | | | | | | range_check_result_t enum Using integers for return values that are used for complex casing can be fragile and typo-prone. Change range_check function to return range_check_result_t enum, whose values properly describes each of the range_check results. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipa_range_check: Fix typo when comparing strings using strcasecmpTomas Babej2014-04-231-4/+4
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa_range_check: Do not fail when no trusted domain is availableTomas Babej2014-04-231-2/+10
| | | | | | | | | | When building the domain to forest root map, we need to take the case of IPA server having no trusted domains configured at all. Do not abort the checks, but return an empty map instead. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa_range_check: Make a new copy of forest_root_id attribute for range_info ↵Tomas Babej2014-04-231-1/+1
| | | | | | | | | | | | struct Not making a new copy of this attribute creates multiple frees caused by multiple pointers to the same forest_root_id from all the range_info structs for all the domains belonging to given forest. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa_range_check: Connect the new node of the linked listTomas Babej2014-04-231-0/+1
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa_range_check: Use special attributes to determine presence of RID basesTomas Babej2014-04-231-9/+21
| | | | | | | | | | | | | | The slapi_entry_attr_get_ulong which is used to get value of the RID base attributes returns 0 in case the attribute is not set at all. We need to distinguish this situation from the situation where RID base attributes are present, but deliberately set to 0. Otherwise this can cause false negative results of checks in the range_check plugin. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Extend ipa-range-check DS plugin to handle range typesTomas Babej2014-04-081-40/+260
| | | | | | | | | | | | | | | | | | | | | | | | | The ipa-range-check plugin used to determine the range type depending on the value of the attributes such as RID or secondary RID base. This approached caused variety of issues since the portfolio of ID range types expanded. The patch makes sure the following rules are implemented: * No ID range pair can overlap on base ranges, with exception of two ipa-ad-trust-posix ranges belonging to the same forest * For any ID range pair of ranges belonging to the same domain: * Both ID ranges must be of the same type * For ranges of ipa-ad-trust type or ipa-local type: * Primary RID ranges can not overlap * For ranges of ipa-local type: * Primary and secondary RID ranges can not overlap * Secondary RID ranges cannot overlap For the implementation part, the plugin was extended with a domain ID to forest root domain ID mapping derivation capabilities. https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-range-check: Fix memory leaks when freeing range objectTomas Babej2014-04-081-4/+12
| | | | | | | | When cleaning the range_info struct, simple free of the struct is not enough, we have to free contents of char pointers in the struct as well. https://fedorahosted.org/freeipa/ticket/4276
* ipa-pwd-extop: Fix memory leak in ipapwd_pre_bindTomas Babej2014-04-081-0/+1
| | | | | | We need to free the entry before returning from the function. https://fedorahosted.org/freeipa/ticket/4295
* extdom: do not return results from the wrong domainSumit Bose2014-03-251-0/+12
| | | | | Resolves: https://fedorahosted.org/freeipa/ticket/4264 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* libotp: do not call internal search for NULL dnAlexander Bokovoy2014-02-211-1/+6
| | | | Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Teach ipa-pwd-extop to respect global ipaUserAuthType settingsNathaniel McCallum2014-02-217-406/+398
| | | | | | https://fedorahosted.org/freeipa/ticket/4105 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP sync support to ipa-pwd-extopNathaniel McCallum2014-02-219-970/+373
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP last token pluginNathaniel McCallum2014-02-215-0/+218
| | | | | | | | | | This plugin prevents the deletion or deactivation of the last valid token for a user. This prevents the user from migrating back to single factor authentication once OTP has been enabled. Thanks to Mark Reynolds for helping me with this patch. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-7/+36
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add libotp internal library for slapi pluginsNathaniel McCallum2014-02-147-0/+969
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-lockout: do not fail when default realm cannot be readMartin Kosek2014-02-041-17/+17
| | | | | | | | | | | When ipa-lockout plugin is started during FreeIPA server installation, the default realm may not be available and plugin should then not end with failure. Similarly to other plugins, start in degraded mode in this situation. Operation is fully restored during the final services restart. https://fedorahosted.org/freeipa/ticket/4085
* Fallback to global policy in ipa-lockout pluginMartin Kosek2014-02-031-0/+34
| | | | | | | | | | krbPwdPolicyReference is no longer filled default users. Instead, plugins fallback to hardcoded global policy reference. Fix ipa-lockout plugin to fallback to it instead of failing to apply the policy. https://fedorahosted.org/freeipa/ticket/4085
* BUILD: Fix portability of NSS in file ipa_pwd.cLukas Slebodnik2014-01-281-0/+1
| | | | Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
* CLDAP: add unit tests for make_netbios_nameSumit Bose2014-01-232-0/+87
|
* CLDAP: generate NetBIOS name like ipa-adtrust-install doesSumit Bose2014-01-232-14/+35
| | | | Fixes https://fedorahosted.org/freeipa/ticket/4116
* Harmonize policy discovery to kdb driverSimo Sorce2014-01-161-89/+17
| | | | | | | | | | | The KDB driver does not walk the tree back like the original password plugin. Also we do not store the default policy in the base DN as we used to do in the past anymore. So doing a full subtree search and walking back the tree is just a waste of time. Instead hardcode the default policy like we do in the kdb driver. Fixes: https://fedorahosted.org/freeipa/ticket/4085
* CLDAP: do not prepend \\Sumit Bose2014-01-151-1/+1
| | | | | | | | | For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in the PDC NetBIOS name. In general AD seems to be smart enough to handle the two \ signs. But if the NetBIOS name reaches the maximum of 15 character AD does not accept the responses anymore. Fixes https://fedorahosted.org/freeipa/ticket/4028
* ipa-cldap: Cut NetBIOS name after 15 charactersTomas Babej2013-12-112-1/+6
| | | | | | | | The CLDAP DS plugin uses the uppercased first segment of the fully qualified hostname as the NetBIOS name. We need to limit its size to 15 characters. https://fedorahosted.org/freeipa/ticket/4028
* Remove CFLAGS duplication.Jan Cholasta2013-12-0612-13/+1
| | | | https://fedorahosted.org/freeipa/ticket/3896
* Fix compilation error in ipa-cldap.Jan Cholasta2013-12-061-1/+3
| | | | https://fedorahosted.org/freeipa/ticket/3896
* Clarify error message about IPv6 socket creation in ipa-cldap pluginPetr Spacek2013-12-031-1/+2
| | | | https://fedorahosted.org/freeipa/ticket/4056
* Remove generation and handling of LM hashesSumit Bose2013-11-014-63/+19
| | | | https://fedorahosted.org/freeipa/ticket/3795
* Remove ipa-pwd-extop and ipa-enrollment duplicate error stringsMartin Kosek2013-10-302-11/+17
| | | | | | | Some error strings were duplicate which makes it then harder to see what is the real root cause of it. https://fedorahosted.org/freeipa/ticket/3988
* Administrative password change does not respect password policyMartin Kosek2013-10-171-15/+29
| | | | | | | | | When Directory Manager or a PassSync agent is changing a password, it is not being expired, but standard expiration time should apply. However, default expiration time was always applied (90 days) even though administrator may have a custom policy for the user. https://fedorahosted.org/freeipa/ticket/3968
* Use the right attribute with ipapwd_entry_checks for MagicRegenSumit Bose2013-10-081-1/+2
| | | | | | | | | | | | | There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos key is available for the corresponding user. This is typically triggered by samba via the ipa_sam passdb plugin. The principal used by samba to connect to the IPA directory server has the right to modify ipaNTHash but no other password attribute. This means that the current check on the userPassword attribute is too strict for this case and leads to a failure of the whole operation. With this patch the access right on ipaNTHash are checked if no other password operations are requested.
* Ensure credentials structure is initializedNathaniel McCallum2013-10-021-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3953
* CLDAP: do not read IPA domain from hostnameSumit Bose2013-09-271-47/+25
| | | | | | | | | | | | Currently the CLDAP plugin determines the IPA domain name by reading the current host name and splitting of the domain part. But since an IPA server does not have to be in a DNS domain which has the same name as the IPA domain this may fail. The domain name was used to search the ipaNTDomainAttrs object, but since this object is unique in the tree it is sufficient to use the objectclass in the search filter. Now the IPA domain can be read from the ipaNTDomainAttrs object as well. Fixes https://fedorahosted.org/freeipa/ticket/3941
* Fix -Wformat-security warningsKrzysztof Klimonda2013-09-162-7/+7
|
* EXTDOM: Do not overwrite domain_name for INP_SIDJakub Hrozek2013-08-291-2/+0
|
* CLDAP: make sure an empty reply is returned on any errorSumit Bose2013-08-291-1/+2
| | | | | | If ipa_cldap_decode() reply is not initialized. Fixes https://fedorahosted.org/freeipa/ticket/3885
* Re-order NULL check in ipa_lockout.Rob Crittenden2013-08-291-2/+1
| | | | | | | | There is no risk of crash here as slapi_valueset_first_value() can handle the case where the valueset is NULL, but there is no point in calling that if we know there are no values. https://fedorahosted.org/freeipa/ticket/3880
* pwd-plugin: Fix ignored return errorSimo Sorce2013-08-281-3/+8
| | | | | | | | | CoverityID: 11904 Also remove 'inline', the compiler can do it on its own if needed. Fixes: https://fedorahosted.org/freeipa/ticket/3882
* Remove unused variableLukas Slebodnik2013-07-251-2/+0
| | | | Variable was set, but it was not used.
* Remove unused variableLukas Slebodnik2013-07-251-1/+0
|
generated by cgit (git 2.34.1) at 2024-05-24 22:43:06 +0000