summaryrefslogtreecommitdiffstats
path: root/daemons
Commit message (Collapse)AuthorAgeFilesLines
* Add error condition handling to the SASL bind callback in ipasamadworkAlexander Bokovoy2012-06-271-12/+80
| | | | https://fedorahosted.org/freeipa/ticket/2877
* Support requests for DOMAIN$ account for trusted domains in ipasam moduleAlexander Bokovoy2012-06-271-13/+20
| | | | https://fedorahosted.org/freeipa/ticket/2870
* Map remote to local groupsSumit Bose2012-06-261-1/+532
|
* WIP: add range check pluginSumit Bose2012-06-265-0/+487
|
* Add sidgen postop and taskSumit Bose2012-06-2610-0/+1378
| | | | | | | | A postop plugin is added to create the SID for new created users and groups. A directory server task allows to set the SID for existing users and groups. Fixes https://fedorahosted.org/freeipa/ticket/2825
* Add external domain extop DS pluginSumit Bose2012-06-269-1/+1198
| | | | | | This extop can be used by clients of the IPA domain, e.g. sssd, to retrieve data from trusted external domains. It can be used e.g. to map Windows SIDs to user or groups names and back.
* Add configure check for C Unit-Test framework checkSumit Bose2012-06-261-0/+10
| | | | The framework can be found at http://check.sourceforge.net.
* ipasam: remove unused struct elementsSumit Bose2012-06-111-11/+0
|
* Use exop instead of kadmin.localSumit Bose2012-06-112-27/+80
|
* Add support for disabling KDC writesSimo Sorce2012-06-063-0/+75
| | | | | | | | | | | Add two global ipaConfig options to disable undesirable writes that have performance impact. The "KDC:Disable Last Success" will disable writing back to ldap the last successful AS Request time (successful kinit) The "KDC:Disable Lockout" will disable completely writing back lockout related data. This means lockout policies will stop working. https://fedorahosted.org/freeipa/ticket/2734
* ipa-sam: update sid_to_id() interface to follow passdb API changes in SambaAlexander Bokovoy2012-06-072-18/+3
| | | | | | | | | Commit a6e29f23f09ba5b6b6d362f7683ae8088bc0ba85 in Samba changed id mapping API in passdb interface to use 'struct unixid'. The change replaced three arguments (uid, gid, type) by one (struct unixid). As result, ipa-sam became broken. Without this change ipa-sam introduces stack corruption in Samba post 4.0.0alpha18 leading to corrupted security context stack as well and then crashing in setgroups(3).
* Add trust-related ACIsAlexander Bokovoy2012-06-071-11/+133
| | | | | | | | | A high-level description of the design and ACIs for trusts is available at https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html and https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html Ticket #1731
* ipa-kdb: Add MS-PAC on constrained delegation.Simo Sorce2012-06-071-22/+26
|
* Perform case-insensitive searches for principals on TGS requestsAlexander Bokovoy2012-06-071-21/+52
| | | | | | | | | | We want to always resolve TGS requests even if the user mistakenly sends a request for a service ticket where the fqdn part contain upper case letters. The actual implementation follows hints set by KDC. When AP_REQ is done, KDC sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests. https://fedorahosted.org/freeipa/ticket/1577
* Add separate attribute to store trusted domain SIDAlexander Bokovoy2012-06-071-4/+5
| | | | | | | | | | | We need two attributes in the ipaNTTrustedDomain objectclass to store different kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID of the trusted domain. A second attribute is needed to store the SID for the trusted domain user. Since it cannot be derived safely from other values and since it does not make sense to create a separate object for the user a new attribute is needed. https://fedorahosted.org/freeipa/ticket/2191
* Fix setting domain_sidSimo Sorce2012-05-291-1/+1
| | | | | | | 'sid' is a stack variable, by assigning its address to the domain_sid pointer we were later referencing grabage (whatever on the stack ha[ppened to be at that address. Properly copy the sid and allocate it on the provided memory context.
* Normalize uid to lower case in winsync.Rob Crittenden2012-05-251-1/+32
| | | | | | This in effect fixes uid, krbPrincipalName and homeDir. https://fedorahosted.org/freeipa/ticket/2756
* Check for locked-out user before incrementing lastfail.Rob Crittenden2012-05-181-4/+6
| | | | | | | | | | | | | | | | | | | | | | If a user become locked due to too many failed logins and then were unlocked by an administrator, the account would not lock again. This was caused by two things: - We were incrementing the fail counter before checking to see if the account was already locked out. - The current fail count wasn't taken into consideration when deciding if the account is locked. The sequence was this: 1. Unlocked account, set failcount to 0 2. Failed login, increment failcount 3. Within lastfailed + lockout_duration, still locked. This skips update the last_failed date. So I reversed 2 and 3 and check to see if the fail count exceeds policy. https://fedorahosted.org/freeipa/ticket/2765
* Fix migration code password setting.Simo Sorce2012-05-171-0/+11
| | | | | | | | When we set a password we also need to make sure krbExtraData is set. If not kadmin will later complain that the object is corrupted at password change time. Ticket: https://fedorahosted.org/freeipa/ticket/2764
* Return LDAP_SUCCESS on mods on a referral entry.Rob Crittenden2012-05-111-0/+9
| | | | | | | | | We currently return LDAP_REFERRAL which causes the mod to fail meaning that referral entries cannot be changed. All we really want to do is escape when we don't hvae an entry to modify. https://fedorahosted.org/freeipa/ticket/2237
* Fix theoretical leak discovered by coveritySimo Sorce2012-04-171-0/+1
| | | | | | | This was introduced when we started checking the return from ipadb_get_context() to silence another coverity report. That condition can never be true in this function but whatever ... let's silence Coverity once again :)
* Fix MS-PAC checks when using s4u2proxySimo Sorce2012-04-031-4/+6
| | | | | | We were using the wrong principal in the s4u2proxy case. Fixes: https://fedorahosted.org/freeipa/ticket/2504
* Fix failure count interval attribute name in query for password policy.Rob Crittenden2012-03-291-1/+1
| | | | | | | This was causing the failure count interval to not be applied so the failure count was never reset to 0. https://fedorahosted.org/freeipa/ticket/2540
* Fix memleak and silence Coverity defectsSimo Sorce2012-03-223-0/+9
| | | | | | | | | | | | | | | Some of these are not real defects, because we are guaranteed to have valid context in some functions, and checks are not necessary. I added the checks anyway in order to silence Coverity on these issues. One meleak on error condition was fixed in daemons/ipa-kdb/ipa_kdb_pwdpolicy.c Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is actually fine as we count before hand so we never actually use the wrong value that is computed on the last pass when p == 0 Fixes: https://fedorahosted.org/freeipa/ticket/2488
* Treat UPGs correctly in winsync replicationMartin Kosek2012-03-152-11/+91
| | | | | | | | | | | | | | | | | | | | | | | | IPA winsync plugin failed to replicate users when default user group was non-posix even though User Private Groups (UPG) were enabled on the server. Both their uidNumber and gidNumber were empty and they missed essential object classes. When the default user group was made posix and UPG was disabled it did not set gidNumber to the default group gidNumber. This patch improves this behavior to set gidNumber correctly according to UPG configuration and the default group status (posix/non-posix). 4 situations can occur, the following list specifies what value is assigned to user gidNumber: 1) Default group posix, UPG enabled: gidNumber = UPG gidNumber 2) Default group posix, UPG disabled: gidNumber = default group gidNumber 3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber 4) Default group non-posix, UPG disabled: an error is printed to the dirsrv log as the gidNumber cannot be retrieved. User is replicated in the same way as before this patch, i.e. without essential object classes. https://fedorahosted.org/freeipa/ticket/2436
* ipa-kdb: fix delegation acl checkSimo Sorce2012-02-281-2/+4
| | | | | We need to check for a matching acl only if one match hasn't already been found, otherwise results are unpredictable and order dependent.
* policy: add function to check lockout policySimo Sorce2012-02-193-1/+62
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2393
* ipa-kdb: Fix ACL evaluatorSimo Sorce2012-02-201-1/+4
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2343
* Remove compat definesSimo Sorce2012-02-161-32/+0
| | | | | | | These definitions were needed during development to be a le to build against krb5 version < 1.10 These function headers and defintions are now available in 1.10 that is a hard dependency for freeipa 3.0, so we can safely drop them.
* ipa-kdb: set krblastpwdchange only when keys have been effectively changedSimo Sorce2012-02-151-2/+4
|
* ipa-kdb: Avoid lookup on modify if possibleSimo Sorce2012-02-151-19/+27
| | | | This avoids one useless search if we already have the entry_dn.
* ipa-kdb: add AS auditing supportSimo Sorce2012-02-147-91/+254
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2334
* Improve password change error messageMartin Kosek2012-02-032-3/+3
| | | | | | | | | | | User always receives the same error message if he changes his password via "ipa passwd" command and the new password fails configured password policy. He then has to investigate on his own the actual reason why was the policy violated. This patch improves our SLAPI PWD plugins to provide a better error message explaining the violation reason. https://fedorahosted.org/freeipa/ticket/2067
* slapi-plugins: use thread-safe ldap librarySimo Sorce2012-01-131-1/+1
|
* ipa-kdb: Create PAC's KDC checksum with right keySimo Sorce2012-01-111-2/+89
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2170
* ipa-kdb: Verify the correct checksum in PAC validationSimo Sorce2012-01-111-5/+45
| | | | | | | | | | | | | | | | | | This patch requires a forthcoming change in MIT libraries which allows to pass NULL for the server_key to the krb5_pac_verify() function. In most cases we should always only check the KDC checksum to verify the PAC validity. The only exception is when we are releasing a ticket to a client from another realm. In this case the only signature we can check is the server checksum, and we use the cross-realm key to validate in this case. The previous code was working for normal cases because the kdc uses the same key to create the server and the kdc checksum for a TGT, but that is not true for evidence tickets (s4u2proxy) or cross-realm TGTs. Fixes: https://fedorahosted.org/freeipa/ticket/2169
* ipa-cldap: Support clients asking for default domainSimo Sorce2012-01-051-1/+21
|
* Add a second module init call for newer samba versionsSumit Bose2011-12-091-0/+6
|
* ipa-kdb: return properly when no PAC is availableSimo Sorce2011-12-091-10/+3
|
* ipa-kdb: Add delgation access control supportSimo Sorce2011-12-085-1/+342
|
* ipa-kdb: enhance deref searchesSimo Sorce2011-12-083-13/+39
| | | | | Allow to deref more than one attribute. The attrs searched are the same for all deref attributes at this time.
* ipa-kdb: Fix copy and paste typoSimo Sorce2011-12-071-1/+1
|
* Make pwd-extop aware of new ipaNTHash attributeSumit Bose2011-12-065-29/+89
|
* Add ipasam samba passdb backendSumit Bose2011-12-066-1/+3331
| | | | https://fedorahosted.org/freeipa/ticket/1874
* ipa-kdb: fix memleaks in ipa_kdb_mspac.cSimo Sorce2011-12-021-7/+8
|
* ipa-kdb: Remove unused CFLAGS/LIBS from MakefilesSimo Sorce2011-12-021-2/+0
|
* ipa-kdb: fix free() of uninitialized varSimo Sorce2011-11-291-0/+1
|
* ipa-kdb: Support re-signing PAC with different checksumSimo Sorce2011-11-291-2/+52
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2122
* ipa-cldap: send cldap replySimo Sorce2011-11-211-0/+48
|
* ipa-cldap: Create netlogon blobSimo Sorce2011-11-214-0/+344
|
generated by cgit (git 2.34.1) at 2024-05-05 05:42:13 +0000