summaryrefslogtreecommitdiffstats
path: root/daemons
Commit message (Collapse)AuthorAgeFilesLines
* Add TOTP watermark supportNathaniel McCallum2014-07-251-73/+86
| | | | | | | | | | | | | | | | This prevents the reuse of TOTP tokens by recording the last token interval that was used. This will be replicated as normal. However, this patch does not increase the number of writes to the database in the standard authentication case. This is because it also eliminates an unnecessary write during authentication. Hence, this patch should be write-load neutral with the existing code. Further performance enhancement is desired, but is outside the scope of this patch. https://fedorahosted.org/freeipa/ticket/4410 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add missing breakLukas Slebodnik2014-07-141-0/+1
| | | | | | | | Wrong error message would be used for in case of RANGE_CHECK_DIFFERENT_TYPE_IN_DOMAIN. Missing break will cause fall through to the default section. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix getkeytab code to always use implicit tagging.Simo Sorce2014-06-271-5/+5
| | | | | | | | | | | | | | A mixture of implicit and explicit tagging was being used and this caused a bug in retrieving the enctype number due to the way ber_scanf() loosely treat sequences and explicit tagging. The ASN.1 notation used to describe the getkeytab operation uses implicit tagging, so by changing the code we simply follow to the specified encoding. Resolves: https://fedorahosted.org/freeipa/ticket/4404 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* keytab: Add new extended operation to get a keytab.Simo Sorce2014-06-261-0/+571
| | | | | | | | | | | | | | | | | | | | | | | | | | | This new extended operation allow to create new keys or retrieve existing ones. The new set of keys is returned as a ASN.1 structure similar to the one that is passed in by the 'set keytab' extended operation. Access to the operation is regulated through a new special ACI that allows 'retrieval' only if the user has access to an attribute named ipaProtectedOperation postfixed by the subtypes 'read_keys' and 'write_keys' to distinguish between creation and retrieval operation. For example for allowing retrieval by a specific user the following ACI is set on cn=accounts: (targetattr="ipaProtectedOperation;read_keys") ... ... userattr=ipaAllowedToPerform;read_keys#USERDN) This ACI matches only if the service object hosts a new attribute named ipaAllowedToPerform that holds the DN of the user attempting the operation. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* keytabs: Expose and modify key encoding functionSimo Sorce2014-06-262-7/+19
| | | | | | | | | | | Make it available outside of the encoding.c file for use in a follow-up patch. Add option to not pass a password and generate a random key instead. Related: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* keytabs: Modularize setkeytab operationSimo Sorce2014-06-261-477/+611
| | | | | | | | | In preparation of adding another function to avoid code duplication. Related: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Change OTPSyncRequest structure to use OctetStringNathaniel McCallum2014-06-255-56/+79
| | | | | | | | This change has two motivations: 1. Clients don't have to parse the string. 2. Future token types may have new formats. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Periodically refresh global ipa-kdb configurationNathaniel McCallum2014-06-195-45/+86
| | | | | | | | | | | | | Before this patch, ipa-kdb would load global configuration on startup and never update it. This means that if global configuration is changed, the KDC never receives the new configuration until it is restarted. This patch enables caching of the global configuration with a timeout of 60 seconds. https://fedorahosted.org/freeipa/ticket/4153 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Revert "Check for password expiration in pre-bind"Martin Kosek2014-06-101-29/+4
| | | | | | | | | | | | | | | This reverts commit bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6. Forceful validation of password expiration date in a BIND pre-callback breaks LDAP password change extended operation as the password change is only allowed via authenticated (bound) channel. Passwords could be only changed via kadmin protocol. This change would thus break LDAP-only clients and Web UI password change hook. This patch will need to be revisited so that unauthenicated corner cases are also revisited. https://fedorahosted.org/freeipa/ticket/1539
* Check for password expiration in pre-bindSimo Sorce2014-06-091-4/+29
| | | | | | | | If the password is expired fail a password bind. Resolves: https://fedorahosted.org/freeipa/ticket/1539 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Restore krbCanonicalName handlingNalin Dahyabhai2014-05-301-5/+1
| | | | | | | | | | | When an entry has a krbCanonicalName, if KRB5_KDB_FLAG_ALIAS_OK is set, rewrite the principal name to the canonical value, else error out, instead of always returning an error if the requested name doesn't look like the canonical one. https://fedorahosted.org/freeipa/ticket/3966 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Accept any alias, not just the last valueNalin Dahyabhai2014-05-301-0/+3
| | | | | | | | | If the entry's krbPrincipalName attribute is multi-valued, accept any of the values, not just the last one we happen to examine. https://fedorahosted.org/freeipa/ticket/3966 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* kdb: Don't provide password expiration when using only RADIUSNathaniel McCallum2014-05-221-0/+4
| | | | | | | | | | If the KDC doesn't use the FreeIPA password for authentication, then it is futile to provide this information. Doing so will only confuse the user. It also causes password change dialogues when the password is irrelevant. https://fedorahosted.org/freeipa/ticket/4299 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-pwd-extop: Deny LDAP binds for accounts with expired principalsTomas Babej2014-05-051-1/+34
| | | | | | | | | | | | | Adds a check for krbprincipalexpiration attribute to pre_bind operation in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is denied and LDAP_UNWILLING_TO_PERFORM along with the error message is sent back to the client. Since krbprincipalexpiration attribute is not mandatory, if there is no value set, the check is passed. https://fedorahosted.org/freeipa/ticket/3305 Reviewed-By: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa_range_check: Change range_check return values from int to ↵Tomas Babej2014-04-231-16/+26
| | | | | | | | | | | | range_check_result_t enum Using integers for return values that are used for complex casing can be fragile and typo-prone. Change range_check function to return range_check_result_t enum, whose values properly describes each of the range_check results. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipa_range_check: Fix typo when comparing strings using strcasecmpTomas Babej2014-04-231-4/+4
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa_range_check: Do not fail when no trusted domain is availableTomas Babej2014-04-231-2/+10
| | | | | | | | | | When building the domain to forest root map, we need to take the case of IPA server having no trusted domains configured at all. Do not abort the checks, but return an empty map instead. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa_range_check: Make a new copy of forest_root_id attribute for range_info ↵Tomas Babej2014-04-231-1/+1
| | | | | | | | | | | | struct Not making a new copy of this attribute creates multiple frees caused by multiple pointers to the same forest_root_id from all the range_info structs for all the domains belonging to given forest. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa_range_check: Connect the new node of the linked listTomas Babej2014-04-231-0/+1
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa_range_check: Use special attributes to determine presence of RID basesTomas Babej2014-04-231-9/+21
| | | | | | | | | | | | | | The slapi_entry_attr_get_ulong which is used to get value of the RID base attributes returns 0 in case the attribute is not set at all. We need to distinguish this situation from the situation where RID base attributes are present, but deliberately set to 0. Otherwise this can cause false negative results of checks in the range_check plugin. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Extend ipa-range-check DS plugin to handle range typesTomas Babej2014-04-081-40/+260
| | | | | | | | | | | | | | | | | | | | | | | | | The ipa-range-check plugin used to determine the range type depending on the value of the attributes such as RID or secondary RID base. This approached caused variety of issues since the portfolio of ID range types expanded. The patch makes sure the following rules are implemented: * No ID range pair can overlap on base ranges, with exception of two ipa-ad-trust-posix ranges belonging to the same forest * For any ID range pair of ranges belonging to the same domain: * Both ID ranges must be of the same type * For ranges of ipa-ad-trust type or ipa-local type: * Primary RID ranges can not overlap * For ranges of ipa-local type: * Primary and secondary RID ranges can not overlap * Secondary RID ranges cannot overlap For the implementation part, the plugin was extended with a domain ID to forest root domain ID mapping derivation capabilities. https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-range-check: Fix memory leaks when freeing range objectTomas Babej2014-04-081-4/+12
| | | | | | | | When cleaning the range_info struct, simple free of the struct is not enough, we have to free contents of char pointers in the struct as well. https://fedorahosted.org/freeipa/ticket/4276
* ipa-pwd-extop: Fix memory leak in ipapwd_pre_bindTomas Babej2014-04-081-0/+1
| | | | | | We need to free the entry before returning from the function. https://fedorahosted.org/freeipa/ticket/4295
* extdom: do not return results from the wrong domainSumit Bose2014-03-251-0/+12
| | | | | Resolves: https://fedorahosted.org/freeipa/ticket/4264 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-sam: cache gid to sid and uid to sid requests in idmap cacheJason Woods2014-03-121-14/+114
| | | | | | | | | | | | | | | | | | | | | | Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the directory service for gid/uid<->sid resolution. Additionally, this patch further reduces number of queries by: - fast fail on uidNumber=0 which doesn't exist in FreeIPA, - return fallback group correctly when looking up user primary group as is done during init, - checking for group objectclass in case insensitive way Patch by Jason Woods <devel@jasonwoods.me.uk> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> https://fedorahosted.org/freeipa/ticket/4234 and https://bugzilla.redhat.com/show_bug.cgi?id=1073829 https://bugzilla.redhat.com/show_bug.cgi?id=1074314 Reviewed-By: Sumit Bose <sbose@redhat.com>
* Avoid passing non-terminated string to is_master_hostMartin Kosek2014-03-111-1/+2
| | | | | | | | | | | When string is not terminated, queries with corrupted base may be sent to LDAP: ... cn=ipa1.example.com<garbage>,cn=masters... https://fedorahosted.org/freeipa/ticket/4214 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-kdb: do not fetch client principal if it is the same as existing entryAlexander Bokovoy2014-03-061-6/+13
| | | | | | | | | | | | | | | When client principal is the same as supplied client entry, don't fetch it again. Note that when client principal is not NULL, client entry might be NULL for cross-realm case, so we need to make sure to not dereference NULL pointer here. Also fix reverted condition for case when we didn't find the client principal in the database, preventing a memory leak. https://fedorahosted.org/freeipa/ticket/4223 Reviewed-By: Sumit Bose <sbose@redhat.com>
* fix filtering of subdomain-based trust usersAlexander Bokovoy2014-03-051-9/+32
| | | | | | https://fedorahosted.org/freeipa/ticket/4207 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipa-kdb: make sure we don't produce MS-PAC in case of authdata flag cleared ↵Alexander Bokovoy2014-02-261-0/+8
| | | | | | | | | | | | by admin When admin clears authdata flag for the service principal, KDC will pass NULL client pointer (service proxy) to the DAL driver. Make sure we bail out correctly. Reviewed-By: Tomáš Babej <tbabej@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipa-kdb: in case of delegation use original client's database entry, not the ↵Alexander Bokovoy2014-02-261-2/+7
| | | | | | | | | proxy https://fedorahosted.org/freeipa/ticket/4195 Reviewed-By: Tomáš Babej <tbabej@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* libotp: do not call internal search for NULL dnAlexander Bokovoy2014-02-211-1/+6
| | | | Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Teach ipa-pwd-extop to respect global ipaUserAuthType settingsNathaniel McCallum2014-02-217-406/+398
| | | | | | https://fedorahosted.org/freeipa/ticket/4105 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP sync support to ipa-pwd-extopNathaniel McCallum2014-02-219-970/+373
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP last token pluginNathaniel McCallum2014-02-216-0/+219
| | | | | | | | | | This plugin prevents the deletion or deactivation of the last valid token for a user. This prevents the user from migrating back to single factor authentication once OTP has been enabled. Thanks to Mark Reynolds for helping me with this patch. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-7/+36
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add support to ipa-kdb for keyless principalsNathaniel McCallum2014-02-191-0/+18
| | | | | | https://fedorahosted.org/freeipa/ticket/3779 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add libotp internal library for slapi pluginsNathaniel McCallum2014-02-148-0/+970
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Enable building in C99 modeNathaniel McCallum2014-02-141-1/+1
| | | | | | | | | | | | | C99 is supported on all compilers we target and provides some useful features, including: * Standard struct initializers * Compound literals * For-loop declarations * Standard bool type * Variable arrays (use with caution) * Too many others to mention... Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-kdb: validate that an OTP user has tokensNathaniel McCallum2014-02-143-25/+135
| | | | | | | | | | | | This handles the case where a user is configured for OTP in ipaUserAuthType, but the user has not yet created any tokens. Until the user creates tokens, the user should still be able to log in via password. This logic already exists in LDAP, but ipa-kdb needs to perform the same validation to know what data to return to the KDC. https://fedorahosted.org/freeipa/ticket/4154 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Move ipa-otpd socket directoryNathaniel McCallum2014-02-113-6/+6
| | | | | https://fedorahosted.org/freeipa/ticket/4167 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipa-lockout: do not fail when default realm cannot be readMartin Kosek2014-02-041-17/+17
| | | | | | | | | | | When ipa-lockout plugin is started during FreeIPA server installation, the default realm may not be available and plugin should then not end with failure. Similarly to other plugins, start in degraded mode in this situation. Operation is fully restored during the final services restart. https://fedorahosted.org/freeipa/ticket/4085
* Fallback to global policy in ipa-lockout pluginMartin Kosek2014-02-031-0/+34
| | | | | | | | | | krbPwdPolicyReference is no longer filled default users. Instead, plugins fallback to hardcoded global policy reference. Fix ipa-lockout plugin to fallback to it instead of failing to apply the policy. https://fedorahosted.org/freeipa/ticket/4085
* BUILD: Fix portability of NSS in file ipa_pwd.cLukas Slebodnik2014-01-282-1/+4
| | | | Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
* CLDAP: add unit tests for make_netbios_nameSumit Bose2014-01-232-0/+87
|
* CLDAP: generate NetBIOS name like ipa-adtrust-install doesSumit Bose2014-01-232-14/+35
| | | | Fixes https://fedorahosted.org/freeipa/ticket/4116
* ipasam: delete trusted child domains before removing the trustAlexander Bokovoy2014-01-211-1/+44
| | | | | | | LDAP protocol doesn't allow deleting non-leaf entries. One needs to remove all leaves first before removing the tree node. https://fedorahosted.org/freeipa/ticket/4126
* Harmonize policy discovery to kdb driverSimo Sorce2014-01-161-89/+17
| | | | | | | | | | | The KDB driver does not walk the tree back like the original password plugin. Also we do not store the default policy in the base DN as we used to do in the past anymore. So doing a full subtree search and walking back the tree is just a waste of time. Instead hardcode the default policy like we do in the kdb driver. Fixes: https://fedorahosted.org/freeipa/ticket/4085
* CLDAP: do not prepend \\Sumit Bose2014-01-151-1/+1
| | | | | | | | | For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in the PDC NetBIOS name. In general AD seems to be smart enough to handle the two \ signs. But if the NetBIOS name reaches the maximum of 15 character AD does not accept the responses anymore. Fixes https://fedorahosted.org/freeipa/ticket/4028
* Use /usr/bin/python2Xiao-Long Chen2014-01-031-1/+1
| | | | | | | | | | | | Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com
* ipa-cldap: Cut NetBIOS name after 15 charactersTomas Babej2013-12-112-1/+6
| | | | | | | | The CLDAP DS plugin uses the uppercased first segment of the fully qualified hostname as the NetBIOS name. We need to limit its size to 15 characters. https://fedorahosted.org/freeipa/ticket/4028
generated by cgit (git 2.34.1) at 2024-05-05 11:30:28 +0000