summaryrefslogtreecommitdiffstats
path: root/daemons
Commit message (Collapse)AuthorAgeFilesLines
* Use pkg-config to detect cmockaLukas Slebodnik2013-07-151-25/+12
| | | | https://fedorahosted.org/freeipa/ticket/3434
* Remove unused variableJakub Hrozek2013-07-152-5/+0
|
* Generate syntethic MS-PAC for all services running on IPA masterAlexander Bokovoy2013-07-111-6/+73
| | | | | | | | | | | MS-PAC is required to be present in TGT if one wants to connect to AD services using this TGT. Users get MS-PAC by default, SSSD in ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP. This patch enables other services running on IPA master to connect to AD services. This is required for IPA python code doing discovery of remote AD domain settings shortly after IPA-AD trust has been established.
* Fix extdom plugin to provide unqualified name in response as sssd expectsAlexander Bokovoy2013-07-111-3/+30
| | | | | | | | | | | | | | | extdom plugin handles external operation over which SSSD asks IPA server about trusted domain users not found through normal paths but detected to belong to the trusted domains associated with IPA realm. SSSD expects that user or group name in the response will be unqualified because domain name for the user or group is also included in the response. Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully qualified name which includes the domain name we are asked to handle. The code already expects that fully-qualified names are following user@domain convention so we are simply tracking whether '@' symbol is present and is followed by the domain name.
* Make sure domain_name is also set when processing INP_NAME requestsAlexander Bokovoy2013-07-111-0/+1
|
* Remove winbind client configure checkSumit Bose2013-07-111-11/+0
| | | | | With the replacement of the winbind calls in the extdom plugin none of the plugins is using the winbind client libraries anymore.
* extdom: replace winbind calls with POSIX/SSSD callsSumit Bose2013-07-116-293/+253
| | | | | | | | | | | | | | | With the new ipa_server_mode SSSD is able to read user and group data from trusted AD domains directly and makes this data available via the NSS responder. With this mode enabled winbind is not needed anymore to lookup users and groups of trusted domains. This patch removed the calls to winbind from the extdom plugin and replaces them with standard POSIX calls like getpwnam() and calls from libsss_nss_idmap to lookup SIDs. Fixes https://fedorahosted.org/freeipa/ticket/3637 because now the extdom plugin does not need to handle idranges anymore, but everything is done inside SSSD.
* Add PAC to master host TGTsSumit Bose2013-07-111-39/+115
| | | | | | | | | | | | | | | | | | | | For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. We use the well know RID of the Domain Computers group (515) for the primary gid element of the PAC, this is the same as AD uses for host tickets. The rid element of the PAC is set to the well know RID of the Domain Controllers group (516). This is working for the SSSD use case but might be improved later for more general use cases. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. Fixes https://fedorahosted.org/freeipa/ticket/3651
* Fix type of printf argumentSumit Bose2013-06-101-1/+2
|
* Fix format string typoSumit Bose2013-06-031-1/+1
|
* Fix log format not a string literal.Diane Trout2013-06-031-1/+1
| | | | | | | | This was to resolve a -Werror=format-security error. ipa_extdom_extop.c: In function 'ipa_extdom_extop': ipa_extdom_extop.c:144:9: error: format not a string literal and no format arguments [-Werror=format-security]
* Fix cldap parser to work with a single equality filter (NtVer=...)Alexander Bokovoy2013-05-301-12/+14
| | | | https://fedorahosted.org/freeipa/ticket/3639
* CLDAP: Return empty reply on non-fatal errorsSimo Sorce2013-05-281-6/+18
| | | | | | | | | | | | | | | Windows DCs return an empty reply when a legal request cannot satisfied. If we get EINVAL or ENOENT it means the information requested could not be found or input parameters were bogus. Always return an empty reply in these cases. On any other internal error just return, the request may have been legit but we can't really handle it right now, pretend we never saw it and hope the next attempt will succeed. Fixes: https://fedorahosted.org/freeipa/ticket/3639 Signed-off-by: Simo Sorce <simo@redhat.com>
* CLDAP: Fix domain handling in netlogon requestsSimo Sorce2013-05-281-28/+39
| | | | | | | | | | | | | 1. Stop using getdomainname() as it is often not properly initialized 2. The code using getdomainname() was not working anyway it was trying to look at the function call output in hostname which is always empty at that point. 3. Always check the requested domain matches our own, we cannot reply to anything else anyway. Pre-requisite to fix: https://fedorahosted.org/freeipa/ticket/3639 Signed-off-by: Simo Sorce <simo@redhat.com>
* Add OTP support to ipa-pwd-extopNathaniel McCallum2013-05-1710-58/+1368
| | | | | | | | | During LDAP bind, this now plugin determines if a user is enabled for OTP authentication. If so, then the OTP is validated in addition to the password. This allows 2FA during user binds. https://fedorahosted.org/freeipa/ticket/3367 http://freeipa.org/page/V3/OTP
* Remove unnecessary prefixes from ipa-pwd-extop filesNathaniel McCallum2013-05-175-6/+6
|
* Add the krb5/FreeIPA RADIUS companion daemonNathaniel McCallum2013-05-1714-60/+1718
| | | | | | | | | | | This daemon listens for RADIUS packets on a well known UNIX domain socket. When a packet is received, it queries LDAP to see if the user is configured for RADIUS authentication. If so, then the packet is forwarded to the 3rd party RADIUS server. Otherwise, a bind is attempted against the LDAP server. https://fedorahosted.org/freeipa/ticket/3366 http://freeipa.org/page/V3/OTP
* ipa-kdb: Add OTP supportNathaniel McCallum2013-05-173-1/+78
| | | | | | | | | | | | | If OTP is enabled for a user, then: 1. Long-term keys are not provided to KDB 2. The user string 'otp' is defined to KDB Since it is not secure to send radius configuration information over krb5 user strings, we simply set the string to a known default ('[]') which enables the default configuration in the KDC. https://fedorahosted.org/freeipa/ticket/3561 http://freeipa.org/page/V3/OTP
* Allow ID-to-SID mappings in the extdom pluginSumit Bose2013-05-021-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/3596
* Do not store SID string in a local bufferSumit Bose2013-05-021-6/+8
| | | | https://fedorahosted.org/freeipa/ticket/3596
* Do not lookup up the domain too early if only the SID is knownSumit Bose2013-05-021-3/+13
| | | | | | | | Request with a SID as input parameter do not contain the domain name, hence is must be tried to resolve the SID first before the corresponding domain can be looked up. https://fedorahosted.org/freeipa/ticket/3596
* ipa-pwd-extop: do not use dn until it is really setSumit Bose2013-04-021-20/+20
| | | | https://fedorahosted.org/freeipa/ticket/3539
* ipasam: add enumeration of UPN suffixes based on the realm domainsAlexander Bokovoy2013-03-292-11/+191
| | | | | | | | | | | | | | | | PASSDB API in Samba adds support for specifying UPN suffixes. The change in ipasam will allow to pass through list of realm domains as UPN suffixes so that Active Directory domain controller will be able to recognize non-primary UPN suffixes as belonging to IPA and properly find our KDC for cross-realm TGT. Since Samba already returns primary DNS domain separately, filter it out from list of UPN suffixes. Also enclose provider of UPN suffixes into #ifdef to support both Samba with and without pdb_enum_upn_suffixes(). Part of https://fedorahosted.org/freeipa/ticket/2848
* Remove build warningsMartin Kosek2013-03-2914-14/+14
| | | | | | Fix rpm build warnings report in Fedora 19 build. https://fedorahosted.org/freeipa/ticket/3500
* Add support for cmocka C-Unit Test frameworkSumit Bose2013-03-281-0/+31
| | | | | | | | cmocka is a more advanced unit test framework for C-code than the currently used check framework. This patch adds configure checks and makefile variables so that new unit tests can use cmocka. Fixes https://fedorahosted.org/freeipa/ticket/3434
* Configure ipa_dns DS plugin on install and upgradeMartin Kosek2013-03-222-0/+21
| | | | | | | | | | The plugin is configured unconditionally (i.e. does not check if IPA was configured with DNS) as the plugin is needed on all replicas to prevent objectclass violations due to missing SOA serial in idnsZone objectclass. The violation could happen if just one replica configured DNS and added a new zone. https://fedorahosted.org/freeipa/ticket/3347
* Add 389 DS plugin for special idnsSOASerial attribute handlingPetr Spacek2013-03-224-0/+253
| | | | | | | | | Default value "1" is added to replicated idnsZone objects if idnsSOASerial attribute is missing. https://fedorahosted.org/freeipa/ticket/3347 Signed-off-by: Petr Spacek <pspacek@redhat.com>
* Fix lockout of LDAP bind.Rob Crittenden2013-03-211-91/+158
| | | | | | | | | | | | | | | | | | There were several problems: - A cut-n-paste error where the wrong value was being considered when an account was administratively unlocked. - An off-by-one error where LDAP got one extra bind attempt. - krbPwdPolicyReference wasn't being retrieved as a virtual attribute so only the global_policy was used. - The lockout duration wasn't examined in the context of too many failed logins so wasn't being applied properly. - Lockout duration wasn't used properly so a user was effectively unlocked when the failure interval expired. - krbLastFailedAuth and krbLoginFailedCount are no longer updated past max failures. https://fedorahosted.org/freeipa/ticket/3433
* Use new 389-ds-base cleartext password APIMartin Kosek2013-03-131-8/+12
| | | | | | | | | | The way how unhashed password is stored in the entry was changed in 389-ds-base-1.3.0, it is now stored in an entry extension rather than in a magic attribute unhashed#user#password. New API using an entry extension was introduced. ipa-pwd-extop should take advantage of the new API as the old one will be removed in 389-ds-base-1.3.1. https://fedorahosted.org/freeipa/ticket/3439
* Change DNA magic value to -1 to make UID 999 usablePetr Viktorin2013-03-112-3/+3
| | | | | | | | | | | | | Change user-add's uid & gid parameters from autofill to optional. Change the DNA magic value to -1. For old clients, which will still send 999 when they want DNA assignment, translate the 999 to -1. This is done via a new capability, optional_uid_params. Tests included https://fedorahosted.org/freeipa/ticket/2886
* Perform secondary rid range overlap check for local ranges onlyTomas Babej2013-03-111-16/+25
| | | | | | | | | | | Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges. https://fedorahosted.org/freeipa/ticket/3391
* Add unit test for get_authz_data_types()Sumit Bose2013-03-082-0/+246
| | | | https://fedorahosted.org/freeipa/ticket/2960
* ipa-kdb: add PAC only if requestedSumit Bose2013-03-081-2/+140
| | | | | | | | Instead of always adding a PAC to the Kerberos ticket the global default for the authorization data and the authorization data of the service entry is evaluated and the PAC is added accordingly. https://fedorahosted.org/freeipa/ticket/2960
* ipa-kdb: Read ipaKrbAuthzData with other principal dataSumit Bose2013-03-082-0/+18
| | | | | | | | The ipaKrbAuthzData LDAP attribute is read together with the other data of the requestedprincipal and the read value(s) are stored in the e-data of the entry for later use. https://fedorahosted.org/freeipa/ticket/2960
* ipa-kdb: Read global defaul ipaKrbAuthzDataSumit Bose2013-03-082-1/+29
| | | | | | | The ipaKrbAuthzData LDAP attribute is read from the ipaConfig object and the read value(s) are stored in the ipadb context. https://fedorahosted.org/freeipa/ticket/2960
* Revert "MS-PAC: Special case NFS services"Sumit Bose2013-03-081-35/+1
| | | | | | | | This reverts commit 5269458f552380759c86018cd1f30b64761be92e. With the implementation of https://fedorahosted.org/freeipa/ticket/2960 a special hardcoded handling of NFS service tickets is not needed anymore.
* ipa-pwd: Unchecked return value ipapwd_chpwop()Sumit Bose2013-02-281-1/+5
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3427
* ipa-extdom: Double-free in ipa_extdom_common.cSumit Bose2013-02-281-1/+0
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3426
* ipa-lockout: Wrong sizeof argument in ipa_lockout.cSumit Bose2013-02-281-1/+1
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3425
* ipa-kdb: Dereference after null check in ipa_kdb_mspac.cSumit Bose2013-02-281-1/+1
| | | | | | A wrong logic was used to check ipactx. Fixes https://fedorahosted.org/freeipa/ticket/3424
* ipa-sam: Array compared against 0 in ipasam_set_trusted_domain()Sumit Bose2013-02-281-1/+1
| | | | | | | ipa_mspac_well_known_sids is a globally defined array so the check was always true. Fixes https://fedorahosted.org/freeipa/ticket/3423
* ipa-kdb: Uninitialized scalar variable in ipadb_reinit_mspac()Sumit Bose2013-02-281-5/+4
| | | | | | | There was a code path where ret was used instead of kerr to save a return value. Fixes https://fedorahosted.org/freeipa/ticket/3422
* ipa-kdb: remove unused variableSumit Bose2013-02-281-1/+1
|
* ipasam: use base scope when fetching domain information about own domainAlexander Bokovoy2013-02-191-1/+1
| | | | | | | | | Since we use associatedDomain attribute to store information about UPN suffixes and our own domain, searching subtree is going to return more than one entry. Limit search for own domain by base scope as we only need to fetch our own domain information here, not UPN suffixes. Required for https://fedorahosted.org/freeipa/ticket/2945
* ipa-kdb: Free talloc autofree context when module is closedsbose2013-02-141-0/+3
| | | | | | | | | | | | | | | Currently kdb5kdc crashes on exit if the ipadb KDB modules is loaded and trusts are configured. The reason is the talloc autofree context which get initialised during the ndr_push_union_blob() call. On exit the KDC module is unloaded an later on atexit() tries to free the context, but all related symbols are already unloaded with the module. This patch frees the talloc autofree context during the cleanup routine of the module. Since this is called only at exit and not during normal operations this is safe even if other KDC plugins use the talloc autofree context, e.g. via some Samba libraries, as well. Fixes https://fedorahosted.org/freeipa/ticket/3410
* ipa-kdb: fix retry logic in ipadb_deref_searchMartin Kosek2013-02-141-1/+1
| | | | | | | | This function retried an LDAP search when the result was OK due to flawed logic of retry detection (ipadb_need_retry function which returns true when we need retry and not 0). https://fedorahosted.org/freeipa/ticket/3413
* ipa-kdb: remove memory leaksMartin Kosek2013-02-144-2/+25
| | | | | | | | All known memory leaks caused by unfreed allocated memory or unfreed LDAP results (which should be also done after unsuccessful searches) are fixed. https://fedorahosted.org/freeipa/ticket/3413
* ipa-sam: Fill SID blacklist when trust is addedMartin Kosek2013-02-121-1/+13
| | | | | | | Fill incoming and outgoing trust LDAP entry with default SID blacklist value. https://fedorahosted.org/freeipa/ticket/3289
* ipa-kdb: read SID blacklist from LDAPMartin Kosek2013-02-122-54/+104
| | | | | | | | | | | | SIDs in incoming MS-PAC were checked and filtered with a fixed list of well-known SIDs. Allow reading the SID blacklist from LDAP (ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list to mspac adtrust structure. Use the hardcoded SID list only if the LDAP SID list is not configured. LIMITATION: SID blacklist list is not used yet. https://fedorahosted.org/freeipa/ticket/3289
* ipa-kdb: reinitialize LDAP configuration for known realmsMartin Kosek2013-02-121-12/+45
| | | | | | | | | | | | | ipa-kdb did not reinitialize trusted domain configuration when it was loaded to ipa-kdb. However, admin then would have to restart krb5kdc if he wanted to apply the change to running krb5kdc service. Run ipadb_reinit_mspac unconditionally every time when trusted domain is loaded. Among the already configured 1 minute grace time, also add a quick check if there is at least one configured trusted domain before reinitializing the mspac structure. https://fedorahosted.org/freeipa/ticket/3289
generated by cgit (git 2.34.1) at 2024-05-17 21:25:17 +0000