summaryrefslogtreecommitdiffstats
path: root/daemons
Commit message (Collapse)AuthorAgeFilesLines
...
* extdom: fix memory leakSumit Bose2015-03-101-0/+1
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* extdom: return LDAP_NO_SUCH_OBJECT to the clientSumit Bose2015-03-101-2/+6
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* extdom: make nss buffer configurableSumit Bose2015-03-093-22/+48
| | | | | | | | | | | | The get*_r_wrapper() calls expect a maximum buffer size to avoid memory shortage if too many threads try to allocate buffers e.g. for large groups. With this patch this size can be configured by setting ipaExtdomMaxNssBufSize in the plugin config object cn=ipa_extdom_extop,cn=plugins,cn=config. Related to https://fedorahosted.org/freeipa/ticket/4908 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* extdom: handle ERANGE return code for getXXYYY_r() callsSumit Bose2015-03-097-84/+498
| | | | | | | | | | | | The getXXYYY_r() calls require a buffer to store the variable data of the passwd and group structs. If the provided buffer is too small ERANGE is returned and the caller can try with a larger buffer again. Cmocka/cwrap based unit-tests for get*_r_wrapper() are added. Resolves https://fedorahosted.org/freeipa/ticket/4908 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add configure check for cwrap librariesSumit Bose2015-03-091-0/+24
| | | | | | | | | Currently only nss-wrapper is checked, checks for other crwap libraries can be added e.g. as AM_CHECK_WRAPPER(uid_wrapper, HAVE_UID_WRAPPER) Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-range-check: do not treat missing objects as errorSumit Bose2015-02-241-2/+3
| | | | | | | | | | | | Currently the range check plugin will return a 'Range Check error' message if a ldapmodify operation tries to change a non-existing object. Since the range check plugin does not need to care about non-existing objects we can just return 0 indicating that the range check plugin has done its work. Resolves https://fedorahosted.org/freeipa/ticket/4924 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Stop including the DES algorythm from openssl.Simo Sorce2015-02-231-2/+2
| | | | | | | | | Since we dropped support for LANMAN hashes we do not need DES from OpenSSL anymore. Stop including an testing for it. Test for the MD4 algorythm instead whichis still used for the NT Hashes. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Remove references to GPL v2.0 licenseMartin Kosek2015-02-201-12/+30
| | | | | | | | | | | | All FreeIPA original code should be licensed to GPL v3+ license, update the respective files: - daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c Remove GPL v2.0 license files from LDIFs or template to keep consistency. Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipa-kdb: reject principals from disabled domains as a KDC policyAlexander Bokovoy2015-02-161-1/+1
| | | | | | | Fixes https://fedorahosted.org/freeipa/ticket/4788 Reviewed-By: Sumit Bose <sbose@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipa-kdb: when processing transitions, hand over unknown ones to KDCAlexander Bokovoy2015-02-161-1/+2
| | | | | | | | | | | When processing cross-realm trust transitions, let the KDC to handle those we don't know about. Admins might define the transitions as explicit [capaths] in krb5.conf. https://fedorahosted.org/freeipa/ticket/4791 Reviewed-By: Sumit Bose <sbose@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Handle DAL ABI change in MIT 1.13Simo Sorce2015-02-132-0/+14
| | | | | | | | | | | | | In this new MIT version the DAL interface changes slightly but KRB5_KDB_DAL_MAJOR_VERSION was not changed. Luckily KRB5_KDB_API_VERSION did change and that's enough to know what to compile in. Resolves: https://fedorahosted.org/freeipa/ticket/4861 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Expose the disabled User Auth TypeNathaniel McCallum2015-02-121-6/+7
| | | | | | | | | Additionally, fix a small bug in ipa-kdb so that the disabled User Auth Type is properly handled. https://fedorahosted.org/freeipa/ticket/4720 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* OTP: emit a log message when LDAP entry for config record is not foundMartin Babinsky2015-01-302-2/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch proposes a fix to the following defect found by covscan of FreeIPA master code: """ Error: CHECKED_RETURN (CWE-252): /daemons/ipa-slapi-plugins/libotp/otp_config.c:239: check_return: Calling "slapi_search_internal_get_entry" without checking return value (as is done elsewhere 14 out of 16 times). /daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:402: example_checked: Example 1: "slapi_search_internal_get_entry(sdn, NULL, &config_entry, ipaenrollment_plugin_id)" has its value checked in "(rc = slapi_search_internal_get_entry(sdn, NULL, &config_entry, ipaenrollment_plugin_id)) != 0". /daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:207: example_assign: Example 2: Assigning: "ret" = return value from "slapi_search_internal_get_entry(sdn, NULL, &config_entry, getPluginID())". /daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:212: example_checked: Example 2 (cont.): "ret" has its value checked in "ret". /daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:651: example_assign: Example 3: Assigning: "search_result" = return value from "slapi_search_internal_get_entry(sdn, attrlist, e2, ipapwd_plugin_id)". /daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:653: example_checked: Example 3 (cont.): "search_result" has its value checked in "search_result != 0". /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1035: example_assign: Example 4: Assigning: "ret" = return value from "slapi_search_internal_get_entry(tmp_dn, NULL, &pwdop->pwdata.target, ipapwd_plugin_id)". /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1039: example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0". /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:817: example_assign: Example 5: Assigning: "ret" = return value from "slapi_search_internal_get_entry(tmp_dn, NULL, &e, getPluginID())". /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:820: example_checked: Example 5 (cont.): "ret" has its value checked in "ret == 10". """ The patch is a part of series related to https://fedorahosted.org/freeipa/ticket/4795 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-uuid: emit a message when unexpected mod type is encounteredMartin Babinsky2015-01-301-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is related to the following defect reported by covscan of FreeIPA master code: """ Error: DEADCODE (CWE-561): /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:796: cond_const: Condition "modtype != 1", taking false branch. Now the value of "modtype" is equal to 1. /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:796: cond_const: Condition "modtype != 4", taking false branch. Now the value of "modtype" is equal to 4. /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:941: equality_cond: Jumping to case "1". /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:957: equality_cond: Jumping to case "4". /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:940: intervals: When switching on "modtype", the value of "modtype" must be in one of the following intervals: {[1,1], [4,4]}. /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:940: dead_error_condition: The switch value "modtype" cannot reach the default case. /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:1031: dead_error_begin: Execution cannot reach this statement: "default:". """ The patch is a part of series related to https://fedorahosted.org/freeipa/ticket/4795 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-pwd-extop: added an informational comment about intentional fallthroughMartin Babinsky2015-01-301-0/+2
| | | | | | | | | | | | | | | | | | | | This patch is related to this defect reported by covscan in FreeIPA code: """ Error: MISSING_BREAK (CWE-484): /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:631: unterminated_case: The case for value "2" is not terminated by a 'break' statement. /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:638: fallthrough: The above case falls through to this one. """ Added a comment informing about intentional falltrough in this place, so that future generations reading the code don't get confused. The patch is the part of a series related to https://fedorahosted.org/freeipa/ticket/4795 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* OTP: failed search for the user of last token emits an error messageMartin Babinsky2015-01-301-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the following defect reported by covscan: """ Error: CHECKED_RETURN (CWE-252): /daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c:119: check_return: Calling "slapi_search_internal_get_entry" without checking return value (as is done elsewhere 14 out of 16 times). /daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:402: example_checked: Example 1: "slapi_search_internal_get_entry(sdn, NULL, &config_entry, ipaenrollment_plugin_id)" has its value checked in "(rc = slapi_search_internal_get_entry(sdn, NULL, &config_entry, ipaenrollment_plugin_id)) != 0". /daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:207: example_assign: Example 2: Assigning: "ret" = return value from "slapi_search_internal_get_entry(sdn, NULL, &config_entry, getPluginID())". /daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:212: example_checked: Example 2 (cont.): "ret" has its value checked in "ret". /daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:651: example_assign: Example 3: Assigning: "search_result" = return value from "slapi_search_internal_get_entry(sdn, attrlist, e2, ipapwd_plugin_id)". /daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:653: example_checked: Example 3 (cont.): "search_result" has its value checked in "search_result != 0". /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1035: example_assign: Example 4: Assigning: "ret" = return value from "slapi_search_internal_get_entry(tmp_dn, NULL, &pwdop->pwdata.target, ipapwd_plugin_id)". /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1039: example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0". /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:817: example_assign: Example 5: Assigning: "ret" = return value from "slapi_search_internal_get_entry(tmp_dn, NULL, &e, getPluginID())". /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:820: example_checked: Example 5 (cont.): "ret" has its value checked in "ret == 10". """ this patch is a part of a series related to https://fedorahosted.org/freeipa/ticket/4795 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-kdb: more robust handling of principal addition/editingMartin Babinsky2015-01-301-23/+47
| | | | | | | | | | | | | | | | | | | | | | | | The patch addresses the following defect reported by covscan in FreeIPA master: """ Error: FORWARD_NULL (CWE-476): /daemons/ipa-kdb/ipa_kdb_principals.c:1886: assign_zero: Assigning: "principal" = "NULL". /daemons/ipa-kdb/ipa_kdb_principals.c:1929: var_deref_model: Passing null pointer "principal" to "ipadb_entry_to_mods", which dereferences it. /daemons/ipa-kdb/ipa_kdb_principals.c:1491:9: deref_parm_in_call: Function "ipadb_get_ldap_mod_str" dereferences "principal". /daemons/ipa-kdb/ipa_kdb_principals.c:1174:5: deref_parm_in_call: Function "strdup" dereferences "value" """ This is a part of series of patches related to https://fedorahosted.org/freeipa/ticket/4795 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* always get PAC for client principal if AS_REQ is trueMartin Babinsky2015-01-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | This patch proposes a fix for the following defect reported by covscan in FreeIPA master code: """ Error: DEADCODE (CWE-561): /daemons/ipa-kdb/ipa_kdb_mspac.c:2013: assignment: Assigning: "client_entry" = "NULL". /daemons/ipa-kdb/ipa_kdb_mspac.c:2077: null: At condition "client_entry", the value of "client_entry" must be "NULL". /daemons/ipa-kdb/ipa_kdb_mspac.c:2077: dead_error_condition: The condition "client_entry" cannot be true. /daemons/ipa-kdb/ipa_kdb_mspac.c:2077: dead_error_line: Execution cannot reach the expression "client_entry" inside this statement: "kerr = ipadb_get_pac(contex...". """ This is a part of a series of patches related to https://fedorahosted.org/freeipa/ticket/4795 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a messageMartin Babinsky2015-01-302-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is related this defect reported by covscan on FreeIPA master: """ Error: DEADCODE (CWE-561): /daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code != -1765328353L", taking false branch. Now the value of "error_code" is equal to -1765328353. /daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code != -1765328360L", taking false branch. Now the value of "error_code" is equal to -1765328360. /daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code != 0", taking false branch. Now the value of "error_code" is equal to 0. /daemons/ipa-kdb/ipa_kdb_audit_as.c:71: intervals: When switching on "error_code", the value of "error_code" must be in one of the following intervals: {[-1765328360,-1765328360], [-1765328353,-1765328353], [0,0]}. /daemons/ipa-kdb/ipa_kdb_audit_as.c:71: dead_error_condition: The switch value "error_code" cannot reach the default case. /daemons/ipa-kdb/ipa_kdb_audit_as.c:123: dead_error_begin: Execution cannot reach this statement: "default:". """ This patch is a part of series related to https://fedorahosted.org/freeipa/ticket/4795. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipapython: Fix incorrect python shebangsTomas Babej2015-01-263-3/+3
| | | | | | Make sure shebangs explicitly reference python2. Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC catch ldap exceptions in ipa-dnskeysyncdMartin Basti2015-01-231-2/+6
| | | | | | Server down exception causes lot of false positive abrt reports. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properlyAlexander Bokovoy2015-01-191-7/+12
| | | | | | | | | | | | | | | | | | | | | | According to MS-ADTS 6.3.3.2, "Domain Controller Response to an LDAP Ping", if NETLOGON_NT_VERSION_5EX_WITH_IP is requested in NtVer, we should fill the socket address of the server and set the NtVer of the response accordingly. The behavior is a bit unclear from 6.3.3.2 but Samba expects LDAP ping to behave the same way as a mailslot ping, described in 6.3.5, where socket address of the server is included only if _WITH_IP variant was requested in NtVer. If NtVer only contains NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket address should not be filled in. Additionally, this means we should use special variant of ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX helper named ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags to properly handle optional existence of the socket address in the response. https://fedorahosted.org/freeipa/ticket/4827 Reviewed-By: Sumit Bose <sbose@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Support Samba PASSDB 0.2.0 aka interface version 24Alexander Bokovoy2015-01-193-5/+39
| | | | | | | | | | | | | | | 1. Samba project renamed libpdb to libsamba-passdb https://bugzilla.samba.org/show_bug.cgi?id=10355 2. With interface version 24, Samba removed uid_to_sid()/gid_to_sid() from the PASSDB interface and united them as id_to_sid(). Make sure FreeIPA ipa_sam code supports new and old versions of the PASSDB API. https://fedorahosted.org/freeipa/ticket/4778 Reviewed-By: Sumit Bose <sbose@redhat.com>
* Avoid calling ldap functions without a contextSimo Sorce2015-01-081-3/+16
| | | | | | | | | | | | | | We need to make sure we have a ld context before we can load the configuration, otherwise ldap APIs will abort crashing the KDC. If we have an issue connecting to LDAP the lcontext will be NULL, but we are not checking that condition when we try to refresh the global configuration. https://fedorahosted.org/freeipa/ticket/4810 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Make token auth and sync windows configurableNathaniel McCallum2014-12-056-151/+199
| | | | | | | | | | | This introduces two new CLI commands: * otpconfig-show * otpconfig-mod https://fedorahosted.org/freeipa/ticket/4511 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Enable last token deletion when password auth type is configuredNathaniel McCallum2014-12-031-70/+173
| | | | | | | | | | | Also, ensure that the last token check only executes on DNs/entries that are tokens. This resolves a large performance issue where a query was being performed to load all the user's tokens on every del/mod operation. https://fedorahosted.org/freeipa/ticket/4697 https://fedorahosted.org/freeipa/ticket/4719 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Move authentication configuration cache into libotpNathaniel McCallum2014-12-0311-408/+346
| | | | | | | | This enables plugins to share authentication configuration cache code. Additionally, update the caching mechanism to be declarative and faster. Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Preliminary refactoring of libotp filesNathaniel McCallum2014-12-0312-101/+90
| | | | | | | | There are no major changes in this commit other than changing filenames and symbols to have consistent namespaces. This prepares for larger changes to come in subsequent commits. Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Fix unchecked return values in ipa-winsyncJan Cholasta2014-11-251-20/+20
| | | | | | https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix unchecked return value in ipa-kdbJan Cholasta2014-11-251-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix Kerberos error handling in ipa-samJan Cholasta2014-11-251-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Remove redefinition of LOG from ipa-otp-lasttokenJan Cholasta2014-11-251-3/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Use asn1c helpers to encode/decode the getkeytab controlSimo Sorce2014-11-203-197/+53
| | | | | | | | | | | Replaces manual encoding with automatically generated code. Fixes: https://fedorahosted.org/freeipa/ticket/4718 https://fedorahosted.org/freeipa/ticket/4728 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Fix filtering of enctypes in server code.Simo Sorce2014-11-201-17/+43
| | | | | | | | | | | The filtering was incorrect and would result in always discarding all values. Also make sure there are no duplicates in the list. Partial fix for: https://fedorahosted.org/freeipa/ticket/4718 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Ensure that a password exists after OTP validationNathaniel McCallum2014-11-061-12/+14
| | | | | | | | | | | | | | Before this patch users could log in using only the OTP value. This arose because ipapwd_authentication() successfully determined that an empty password was invalid, but 389 itself would see this as an anonymous bind. An anonymous bind would never even get this far in this code, so we simply deny requests with empty passwords. This patch resolves CVE-2014-7828. https://fedorahosted.org/freeipa/ticket/4690 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix memory leak in ipa-pwd-extopJan Cholasta2014-11-052-3/+2
| | | | | | | | | Also remove dead code and explicitly mark an ignored return value to prevent false positives in static code analysis. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix various bugs in ipa-opt-counter and ipa-otp-lasttokenJan Cholasta2014-11-053-5/+17
| | | | | | | | Fixes a wrong sizeof argument and unchecked return values. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix memory leaks in ipa-extdom-extopJan Cholasta2014-11-051-5/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix possible NULL dereference in ipa-kdbJan Cholasta2014-11-051-3/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* DNSSEC: remove container_dnssec_keysJan Cholasta2014-10-212-2/+4
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: add ipa dnssec daemonsPetr Spacek2014-10-216-0/+806
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* extdom: remove unused dependency to libsss_idmapSumit Bose2014-10-212-5/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
* extdom: add support for sss_nss_getorigbyname()Sumit Bose2014-10-211-32/+135
| | | | | | https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
* Configure IPA OTP Last Token plugin on upgradeNathaniel McCallum2014-10-202-19/+0
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Create ipa-otp-counter 389DS pluginNathaniel McCallum2014-10-209-0/+804
| | | | | | | | | | | | | | | This plugin ensures that all counter/watermark operations are atomic and never decrement. Also, deletion is not permitted. Because this plugin also ensures internal operations behave properly, this also gives ipa-pwd-extop the appropriate behavior for OTP authentication. https://fedorahosted.org/freeipa/ticket/4493 https://fedorahosted.org/freeipa/ticket/4494 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Move OTP synchronization step to after counter writebackNathaniel McCallum2014-09-301-11/+7
| | | | | | | | This prevents synchronization when an authentication collision occurs. https://fedorahosted.org/freeipa/ticket/4493 Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>
* extdom: add support for new versionSumit Bose2014-09-303-252/+603
| | | | | | | | | | | | | | | Currently the extdom plugin is basically used to translate SIDs of AD users and groups to names and POSIX IDs. With this patch a new version is added which will return the full member list for groups and the full list of group memberships for a user. Additionally the gecos field, the home directory and the login shell of a user are returned and an optional list of key-value pairs which currently will contain the SID of the requested object if available. https://fedorahosted.org/freeipa/ticket/4031 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
* Use stack allocation when writing values during otp authNathaniel McCallum2014-09-301-17/+11
| | | | Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* ipa-kdb: fix unit testsSumit Bose2014-09-262-1/+4
| | | | Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
* Add TOTP watermark supportNathaniel McCallum2014-07-251-73/+86
| | | | | | | | | | | | | | | | This prevents the reuse of TOTP tokens by recording the last token interval that was used. This will be replicated as normal. However, this patch does not increase the number of writes to the database in the standard authentication case. This is because it also eliminates an unnecessary write during authentication. Hence, this patch should be write-load neutral with the existing code. Further performance enhancement is desired, but is outside the scope of this patch. https://fedorahosted.org/freeipa/ticket/4410 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-28 15:13:29 +0000