summaryrefslogtreecommitdiffstats
path: root/daemons
Commit message (Collapse)AuthorAgeFilesLines
* Don't set the password expiration to the current timeSimo Sorce2011-07-311-11/+14
| | | | This fixes a regression in the previous patch in ticket #1526.
* When setting a host password don't set krbPasswordExpiration.Rob Crittenden2011-07-291-8/+12
| | | | | | | This can cause problems if a host is enrolled, unenrolled and a password set. The password will be marked as expired like all new passwords are. https://fedorahosted.org/freeipa/ticket/1526
* Don't set krbLastPwdChange when setting a host OTP password.Rob Crittenden2011-07-183-37/+70
| | | | | | | | | | | | | | We have no visibility into whether an entry has a keytab or not so krbLastPwdChange is used as a rough guide. If this value exists during enrollment then it fails because the host is considered already joined. This was getting set when a OTP was added to a host that had already been enrolled (e.g. you enroll a host, unenroll it, set a OTP, then try to re-enroll). The second enrollment was failing because the enrollment plugin thought it was still enrolled becaused krbLastPwdChange was set. https://fedorahosted.org/freeipa/ticket/1357
* Reset failed login count to 0 when admin resets password.Rob Crittenden2011-07-131-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/1441
* memory leak in ipa_winsync_get_new_ds_user_dn_cbRich Megginson2011-06-281-0/+1
| | | | | The new_dn_string passed into this function is malloc'd. It must be freed before we reassign the value.
* modify user deleted in AD crashes winsyncRich Megginson2011-06-281-1/+8
| | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1382 crash in winsync if replaying a MOD and user does not exist in AD If the AD entry is deleted before the deletion can be synced back to IPA, and in the meantime an operation is performed on the corresponding entry in IPA that should be synced to AD, winsync attempts to get the AD entry and it is empty. This just means the operation will not go through, and the entry will be deleted when the sync from AD happens. The IPA winsync plugin needs to handle the case when the ad_entry is NULL.
* winsync enables disabled users in ADRich Megginson2011-06-281-3/+5
| | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1379 winsync enables disabled users in AD when the AD entry changes This was likely broken when ipa switched from using CoS/groups for account inactivation to using nsAccountLock directly. The code that handled the account sync in the from AD direction was broken, but was never found before now because it had not been used. The fix is to correctly set or remove nsAccountLock.
* Fix issues found by Coverity.Jan Cholasta2011-05-094-14/+54
| | | | tickets 1166, 1167, 1168, 1169
* Fix resource leaks.Simo Sorce2011-03-281-0/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1119
* Fix uninitialized variable.Simo Sorce2011-03-241-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1118
* Make activated/inactivated groups optionalSimo Sorce2011-03-013-34/+40
| | | | | | directly change nsAccountLock on the entry if they are not used Fixes: https://fedorahosted.org/freeipa/ticket/1021
* Fix user synchronization.Simo Sorce2011-03-011-0/+2
| | | | | | | | | We need to set uidNumber and gidNumber to the magic values so that DNA can assign appropriate Ids, otherwise the synchronization of users from AD will fail with an error about posixAccount requiring a missing (uidNumber) attribute. Fixes: https://fedorahosted.org/freeipa/ticket/1020
* Unbreak the ipa winsync plugin.Simo Sorce2011-03-011-1/+1
| | | | | | Fix RDN construction. Fixes: https://fedorahosted.org/freeipa/ticket/1015
* Set the loginShell attribute on winsynced entries if configuredSimo Sorce2011-03-014-1/+66
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/266
* Reset target DN when generated UUID is used as RDNNathan Kinder2011-02-171-0/+4
| | | | | | | | | | | | | | | When the UUID plug-in generates a value that is used in the RDN of the entry being added, the old DN is free'd and replaced with the new DN. The problem is that the operation in the pblock holds a pointer to the old DN address. This can cause other plug-ins to reference garbage, leading to incorrect results or crashes. This was causing the attribute uniqueness plug-in to not work correctly, resulting in duplicate netgroup entries. The fix is to have the UUID plug-in reset the target DN after changing the DN of the entry to be added. ticket 963
* Fix duplicate OIDsSimo Sorce2011-02-172-3/+3
| | | | | | | | | | | | | | | Apparently we forgot to check OID consistency between the schema and the extensions, and we got duplicates. Technically the schema was done later but it is easier to change the extensions OIDs than to change the schema of current beta2/rc1 installations. The only side effect is that older ipa-getkeytab and ipa-join binaries will fail. So all the admin/client tools must be upgraded at the same time as well as all the masters (otherwise some will show/accept the new OID while others won't). Fixes: https://fedorahosted.org/freeipa/ticket/976
* Let 389-ds start up even if Kerboros is not configured yet.Rob Crittenden2011-02-143-8/+29
| | | | | | | | | | | | The situation is if during installation /etc/krb5.conf either doesn't exist or configures no realms then 389-ds won't start up at all, causing the installation to fail. This will let the server start up in a degraded mode. Also need to make the sub_dict in ldapupdate.py handle no realm otherwise the installation will abort enabling the compat plugin. ticket 606
* Correctly report if this is a krb related password operationSimo Sorce2011-02-141-0/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/949
* Update krbExtraData too when changing passwords.Simo Sorce2011-02-144-0/+93
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/937
* Disable replication version plugin by default.Rob Crittenden2011-02-101-1/+1
| | | | | | | | | | | | | | | | The 389-ds replication plugin may not be installed on all platforms and our replication version plugin will cause 389-ds to not start if it is loaded and the replication plugin is not. So disable by default. When a replica is prepared we check for the replication plugin. If it exists we will enable the replication version plugin. Likewise on installation of a replica we check for existence of the repliation plugin and if it is there then we enable the version plugin before replication begins. ticket 918
* Update kerberos password policy values on LDAP binds.Rob Crittenden2011-01-215-0/+706
| | | | | | | | | | | | | | | On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343
* Fix ipa_uuid to not interfer with proper error reportingSimo Sorce2011-01-191-3/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/813
* Mozldap-specific code removedMartin Kosek2011-01-144-55/+8
| | | | | | | | Mozldap code removed from all sources and configure source script. Now, IPA will compile even when package mozldap-devel is not installed on the system. https://fedorahosted.org/freeipa/ticket/756
* Potential memory leaks in ipa-kpasswdMartin Kosek2011-01-141-0/+6
| | | | | | | | This patch fixes 2 situations where a pointer to allocated error string could be overwritten - which could have resulted in a memory leak. https://fedorahosted.org/freeipa/ticket/716
* Unchecked return values in SLAPI pluginsMartin Kosek2011-01-144-8/+20
| | | | | | | Return values weren't checked in several cases which could have lead to unhandled errors. https://fedorahosted.org/freeipa/ticket/722
* Potential memory leaks in ipa-pwd-extopMartin Kosek2011-01-142-3/+21
| | | | | | | | | | This patch fixes several potential memory leaks in ipa-pwd-extop SLAPI plugin. Common function ipapwd_gen_hashes() now cleans after itself when it fails. Other changes are local and self-explanatory. https://fedorahosted.org/freeipa/ticket/715
* Drop dependency on mozldapRob Crittenden2011-01-121-7/+0
|
* Potential NULL dereference in ipapwd_prepostMartin Kosek2011-01-121-2/+2
| | | | | | | This patch increases robustness in PRE MOD password SLAPI module by ensuring that an uninitialized pointer is not dereferenced. https://fedorahosted.org/freeipa/ticket/719
* Unchecked return value of callocMartin Kosek2011-01-121-0/+7
| | | | | | | | Omiting return value of calloc in ipa_pwd_extop.c could lead to memory access issues when memory is full. This patch adds return value check. https://fedorahosted.org/freeipa/ticket/717
* Uninitialized pointer read in ipa-enrollmentMartin Kosek2011-01-121-1/+1
| | | | | | | This patch fixes a situation where an uninitialized pointer is passed to free(). https://fedorahosted.org/freeipa/ticket/713
* Do not use LDAP_DEPRECATED in pluginsJakub Hrozek2011-01-075-21/+75
| | | | | | | | | Remove the LDAP_DEPRECATED constant and do not use functions that are marked as deprecated in recent OpenLDAP releases. Also always define WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that depend on that constant. https://fedorahosted.org/freeipa/ticket/576
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-2015-358/+388
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Make use of mozldap vs openldap for plugins selectableSimo Sorce2010-12-0610-18/+36
|
* Init smods to prevent crash if encode_keys failsJakub Hrozek2010-11-291-1/+1
|
* build tweaks - use automake's foreign mode, avoid creating empty files to ↵Nalin Dahyabhai2010-11-291-1/+1
| | | | satisfy gnu mode - run autoreconf -f to ensure that everything matches
* Fix modrdn plugin crash bug.Simo Sorce2010-11-231-25/+10
| | | | | | | | | Constant values were assigned to variables gthat would later be freed with slapi_ch_free_string(). Make copies instead so the free doesn't blow. Also remove useless tests, as these functions already check for NULL on their own. Fixes: https://fedorahosted.org/freeipa/ticket/529
* Silence compilation warnings in SLAPI pluginsJakub Hrozek2010-11-229-59/+54
| | | | Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Use internal implementation of internal Kerberos functionsJakub Hrozek2010-11-223-2/+6
| | | | | | | | | | | Don't use KRB5_PRIVATE. The patch implements and uses the following krb5 functions that are otherwise private in recent MIT Kerberos releases: * krb5_principal2salt_norealm * krb5_free_ktypes Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Stricter compilation flagsJakub Hrozek2010-11-229-0/+17
| | | | | | | Use a little stricter compilation flags, in particular -Wall and treat implicit function declarations as errors. Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Common include file for SLAPI plugin loggingJakub Hrozek2010-11-2219-449/+332
| | | | | | | | | Consolidate the common logging macros into common/util.h and use them in SLAPI plugins instead of calling slapi_log_error() directly. https://fedorahosted.org/freeipa/ticket/408 Signed-off-by: Simo Sorce <ssorce@redhat.com>
* uuid plugin: convert the plugin to use the libuuid librarySimo Sorce2010-11-153-10/+29
| | | | | | | | | | The DS guys decided not to expose the DS inetrnal functions used to generate UUIDs for DS. This means the interface is not guaranteed to be available. Switch the ipa_uuid plugin to use the system libuuid plugin instead. NOTE: This causes once again a change in the tring format used for UUIDs. fixes: https://fedorahosted.org/freeipa/ticket/465
* uuid-plugin: Fix control access bug on replicationalpha_5-1-9-0-1Simo Sorce2010-11-101-1/+17
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/468
* pwd-plugin: Always use a special salt by default.Simo Sorce2010-10-281-28/+22
| | | | | | | This should make renamed users able to keep using old credentials as the salt is not derived from the principal name but is always a random quantity. https://fedorahosted.org/freeipa/ticket/412
* pwd-plugin: fix slapi log target in logging functionsSimo Sorce2010-10-281-12/+7
|
* ipa_uuid: prevent false positives on modifiesSimo Sorce2010-10-281-0/+14
| | | | | | | If a modify operation does not specify our attribute then we need to short circuit the loop, otherwise on enforcing we will return an error by mistake if we are not Directory Manager because generate is false if the attr is not found.
* ipa_uuid: Handle generation of the uuid when it is a RDNSimo Sorce2010-10-281-10/+50
|
* ipa-uuid: Add enforce modeSimo Sorce2010-10-281-0/+23
| | | | | | | By setting the enforce flag in the configuration we prevent anyone from storing arbitrary values and allow only Directory Manager to override the plugin. Users can only set the value to the magic value (usually 0) to have the uuid regenerated, and nothing else.
* ipa-uuid: Code cleanupsSimo Sorce2010-10-281-165/+162
| | | | | | Remove one level of indentation from the main function by jumping to the end immediately if the configuration list is empty. Other minor style cleanups.
* ipa-uuid: safer unlock handlingSimo Sorce2010-10-281-2/+6
| | | | | This allows the code in the for loop to error out without worrying of forgetting to unlock the config entries.
* ipa-uuid: Reset generate flag at every cycleSimo Sorce2010-10-281-1/+3
| | | | | Avoid false positives if more than one uuid attribute is generated in the same entry.