summaryrefslogtreecommitdiffstats
path: root/daemons
Commit message (Collapse)AuthorAgeFilesLines
* Add PAC filteringSimo Sorce2012-08-021-8/+100
| | | | | | | | This check the PAC we receive is consistent. realm, flat name and domain sid must much our understanding or the trustd realm and no additional sids beyond the own realm ones must be present. Ticket #2849
* Split out manipulation of logon_info blobSimo Sorce2012-08-021-40/+69
| | | | | This way multiple functions can manipulate the logon info structure until all operations we want to do on it are done and then fold it back once.
* Properly name function to add ipa external groupsSimo Sorce2012-08-021-35/+39
| | | | | | | | | The function filter_pac was not filtering the pac at all, it was merely augmenting it with additional data relevant to the IPA server. Change the name of the function to avoid confusion. While there I also simplified and cleaed up the code a bit with regard to variable names and usage.
* Load list of trusted domain on connecting to ldapSimo Sorce2012-08-021-6/+104
| | | | This list is used to validate data in mspac filtering
* Move mspac structure to be a private pointerSimo Sorce2012-08-022-25/+33
| | | | | By keeping it's definition in the mspac file it is easier to modify and make sure any opertion on it is handled in the same file.
* When ipaNTHash is missing, ask IPA to generate it from kerberos keysAlexander Bokovoy2012-07-301-3/+93
| | | | Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Add special modify op to regen ipaNTHashSimo Sorce2012-07-301-3/+143
| | | | | | The NT Hash is the same thing as the RC4-HMAC key, so we add a function to extract it from krb5 keys if they are available to avoid forcing a password change when configuring trust relationships.
* Improve loops around slapi modsSimo Sorce2012-07-301-68/+62
| | | | | Avoid the need to allocate/free a Slapi_Mod and avoid checking for attribute equvalence after a match (use if/else)
* Move code into common krb5 utilsSimo Sorce2012-07-301-141/+7
| | | | | | | | This moves the decoding function that reads the keys from the ber format into a structure in the common krb5 util code right below the function that encodes the same data structure into a ber format. This way the 2 functions are in the same place and can be both used by all ia components.
* Do not check for DNA magic valuesSimo Sorce2012-07-262-8/+0
| | | | | | | The DNA magic value can be arbitrarily changed by admins so we cannot use a const value to check. And we relly do not need to check at all. If the DNA plugin is broken and leaves magic values to reach the post-op stage we have bigger problems. So just simply get rid of this check.
* Follow change in samba4 beta4 for sid_check_is_domain to sid_check_is_our_samAlexander Bokovoy2012-07-181-1/+3
| | | | | | | With c43505b621725c9a754f0ee98318d451b093f2ed in samba git master the function sid_check_is_domain() was renamed to sid_check_is_our_sam(). https://fedorahosted.org/freeipa/ticket/2929
* Fix typoSumit Bose2012-07-091-1/+1
| | | | Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Fix wrong check after allocation.Simo Sorce2012-07-071-1/+1
|
* reduce redundant checks in ldapsam_search_users() to a single statementAlexander Bokovoy2012-07-061-8/+1
|
* Use smb.conf 'dedicated keytab file' parameter instead of hard-coded valueAlexander Bokovoy2012-07-061-1/+2
|
* ipasam: replace testing codeSumit Bose2012-07-061-5/+5
|
* ipasam: fixes for clang warningsSumit Bose2012-07-061-28/+20
|
* Allow silent build if availableSumit Bose2012-07-061-0/+1
|
* ipasam: improve SASL bind callbackAlexander Bokovoy2012-07-061-42/+136
| | | | | | | | SASL bind callback due to refactoring was referencing local variable which didn't exist all the time. Fix that by including a copy of service principals into ipasam long term private struct. Rework ccache handling to avoid re-initing every time callback is called
* Add range check preop pluginSumit Bose2012-06-295-0/+504
| | | | | | | To make sure that ID ranges do not overlap this plugin checks new additions and changes for conflicts with existing ranges. https://fedorahosted.org/freeipa/ticket/2185
* Use lower case names in LDAP to meet freeIPA conventionSumit Bose2012-06-291-11/+11
|
* Add external domain extop DS pluginSumit Bose2012-06-289-1/+1198
| | | | | | This extop can be used by clients of the IPA domain, e.g. sssd, to retrieve data from trusted external domains. It can be used e.g. to map Windows SIDs to user or groups names and back.
* Add configure check for C Unit-Test framework checkSumit Bose2012-06-281-0/+10
| | | | The framework can be found at http://check.sourceforge.net.
* Filter groups in the PACSumit Bose2012-06-281-1/+452
| | | | | | If one or more of the external groups given in the PAC can be found in the ipaExternalGroup objects and these objects are members of local groups, the SIDs of the local groups are added to the PAC.
* Add sidgen postop and taskSumit Bose2012-06-2810-0/+1378
| | | | | | | | A postop plugin is added to create the SID for new created users and groups. A directory server task allows to set the SID for existing users and groups. Fixes https://fedorahosted.org/freeipa/ticket/2825
* Add error condition handling to the SASL bind callback in ipasamAlexander Bokovoy2012-06-281-12/+80
| | | | https://fedorahosted.org/freeipa/ticket/2877
* Support requests for DOMAIN$ account for trusted domains in ipasam moduleAlexander Bokovoy2012-06-281-13/+20
| | | | https://fedorahosted.org/freeipa/ticket/2870
* ipasam: remove unused struct elementsSumit Bose2012-06-111-11/+0
|
* Use exop instead of kadmin.localSumit Bose2012-06-112-27/+80
|
* Add support for disabling KDC writesSimo Sorce2012-06-063-0/+75
| | | | | | | | | | | Add two global ipaConfig options to disable undesirable writes that have performance impact. The "KDC:Disable Last Success" will disable writing back to ldap the last successful AS Request time (successful kinit) The "KDC:Disable Lockout" will disable completely writing back lockout related data. This means lockout policies will stop working. https://fedorahosted.org/freeipa/ticket/2734
* ipa-sam: update sid_to_id() interface to follow passdb API changes in SambaAlexander Bokovoy2012-06-072-18/+3
| | | | | | | | | Commit a6e29f23f09ba5b6b6d362f7683ae8088bc0ba85 in Samba changed id mapping API in passdb interface to use 'struct unixid'. The change replaced three arguments (uid, gid, type) by one (struct unixid). As result, ipa-sam became broken. Without this change ipa-sam introduces stack corruption in Samba post 4.0.0alpha18 leading to corrupted security context stack as well and then crashing in setgroups(3).
* Add trust-related ACIsAlexander Bokovoy2012-06-071-11/+133
| | | | | | | | | A high-level description of the design and ACIs for trusts is available at https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html and https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html Ticket #1731
* ipa-kdb: Add MS-PAC on constrained delegation.Simo Sorce2012-06-071-22/+26
|
* Perform case-insensitive searches for principals on TGS requestsAlexander Bokovoy2012-06-071-21/+52
| | | | | | | | | | We want to always resolve TGS requests even if the user mistakenly sends a request for a service ticket where the fqdn part contain upper case letters. The actual implementation follows hints set by KDC. When AP_REQ is done, KDC sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests. https://fedorahosted.org/freeipa/ticket/1577
* Add separate attribute to store trusted domain SIDAlexander Bokovoy2012-06-071-4/+5
| | | | | | | | | | | We need two attributes in the ipaNTTrustedDomain objectclass to store different kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID of the trusted domain. A second attribute is needed to store the SID for the trusted domain user. Since it cannot be derived safely from other values and since it does not make sense to create a separate object for the user a new attribute is needed. https://fedorahosted.org/freeipa/ticket/2191
* Fix setting domain_sidSimo Sorce2012-05-291-1/+1
| | | | | | | 'sid' is a stack variable, by assigning its address to the domain_sid pointer we were later referencing grabage (whatever on the stack ha[ppened to be at that address. Properly copy the sid and allocate it on the provided memory context.
* Normalize uid to lower case in winsync.Rob Crittenden2012-05-251-1/+32
| | | | | | This in effect fixes uid, krbPrincipalName and homeDir. https://fedorahosted.org/freeipa/ticket/2756
* Check for locked-out user before incrementing lastfail.Rob Crittenden2012-05-181-4/+6
| | | | | | | | | | | | | | | | | | | | | | If a user become locked due to too many failed logins and then were unlocked by an administrator, the account would not lock again. This was caused by two things: - We were incrementing the fail counter before checking to see if the account was already locked out. - The current fail count wasn't taken into consideration when deciding if the account is locked. The sequence was this: 1. Unlocked account, set failcount to 0 2. Failed login, increment failcount 3. Within lastfailed + lockout_duration, still locked. This skips update the last_failed date. So I reversed 2 and 3 and check to see if the fail count exceeds policy. https://fedorahosted.org/freeipa/ticket/2765
* Fix migration code password setting.Simo Sorce2012-05-171-0/+11
| | | | | | | | When we set a password we also need to make sure krbExtraData is set. If not kadmin will later complain that the object is corrupted at password change time. Ticket: https://fedorahosted.org/freeipa/ticket/2764
* Return LDAP_SUCCESS on mods on a referral entry.Rob Crittenden2012-05-111-0/+9
| | | | | | | | | We currently return LDAP_REFERRAL which causes the mod to fail meaning that referral entries cannot be changed. All we really want to do is escape when we don't hvae an entry to modify. https://fedorahosted.org/freeipa/ticket/2237
* Fix theoretical leak discovered by coveritySimo Sorce2012-04-171-0/+1
| | | | | | | This was introduced when we started checking the return from ipadb_get_context() to silence another coverity report. That condition can never be true in this function but whatever ... let's silence Coverity once again :)
* Fix MS-PAC checks when using s4u2proxySimo Sorce2012-04-031-4/+6
| | | | | | We were using the wrong principal in the s4u2proxy case. Fixes: https://fedorahosted.org/freeipa/ticket/2504
* Fix failure count interval attribute name in query for password policy.Rob Crittenden2012-03-291-1/+1
| | | | | | | This was causing the failure count interval to not be applied so the failure count was never reset to 0. https://fedorahosted.org/freeipa/ticket/2540
* Fix memleak and silence Coverity defectsSimo Sorce2012-03-223-0/+9
| | | | | | | | | | | | | | | Some of these are not real defects, because we are guaranteed to have valid context in some functions, and checks are not necessary. I added the checks anyway in order to silence Coverity on these issues. One meleak on error condition was fixed in daemons/ipa-kdb/ipa_kdb_pwdpolicy.c Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is actually fine as we count before hand so we never actually use the wrong value that is computed on the last pass when p == 0 Fixes: https://fedorahosted.org/freeipa/ticket/2488
* Treat UPGs correctly in winsync replicationMartin Kosek2012-03-152-11/+91
| | | | | | | | | | | | | | | | | | | | | | | | IPA winsync plugin failed to replicate users when default user group was non-posix even though User Private Groups (UPG) were enabled on the server. Both their uidNumber and gidNumber were empty and they missed essential object classes. When the default user group was made posix and UPG was disabled it did not set gidNumber to the default group gidNumber. This patch improves this behavior to set gidNumber correctly according to UPG configuration and the default group status (posix/non-posix). 4 situations can occur, the following list specifies what value is assigned to user gidNumber: 1) Default group posix, UPG enabled: gidNumber = UPG gidNumber 2) Default group posix, UPG disabled: gidNumber = default group gidNumber 3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber 4) Default group non-posix, UPG disabled: an error is printed to the dirsrv log as the gidNumber cannot be retrieved. User is replicated in the same way as before this patch, i.e. without essential object classes. https://fedorahosted.org/freeipa/ticket/2436
* ipa-kdb: fix delegation acl checkSimo Sorce2012-02-281-2/+4
| | | | | We need to check for a matching acl only if one match hasn't already been found, otherwise results are unpredictable and order dependent.
* policy: add function to check lockout policySimo Sorce2012-02-193-1/+62
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2393
* ipa-kdb: Fix ACL evaluatorSimo Sorce2012-02-201-1/+4
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2343
* Remove compat definesSimo Sorce2012-02-161-32/+0
| | | | | | | These definitions were needed during development to be a le to build against krb5 version < 1.10 These function headers and defintions are now available in 1.10 that is a hard dependency for freeipa 3.0, so we can safely drop them.
* ipa-kdb: set krblastpwdchange only when keys have been effectively changedSimo Sorce2012-02-151-2/+4
|
generated by cgit (git 2.34.1) at 2024-05-08 19:07:47 +0000