| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
| |
|
| |
|
|
|
|
| |
satisfy gnu mode - run autoreconf -f to ensure that everything matches
|
|
|
|
|
|
|
|
|
| |
Constant values were assigned to variables gthat would later be freed
with slapi_ch_free_string(). Make copies instead so the free doesn't
blow. Also remove useless tests, as these functions already check for
NULL on their own.
Fixes: https://fedorahosted.org/freeipa/ticket/529
|
|
|
|
| |
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Don't use KRB5_PRIVATE.
The patch implements and uses the following krb5 functions that are
otherwise private in recent MIT Kerberos releases:
* krb5_principal2salt_norealm
* krb5_free_ktypes
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
|
|
| |
Use a little stricter compilation flags, in particular -Wall and treat
implicit function declarations as errors.
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Consolidate the common logging macros into common/util.h and use them
in SLAPI plugins instead of calling slapi_log_error() directly.
https://fedorahosted.org/freeipa/ticket/408
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The DS guys decided not to expose the DS inetrnal functions used to generate
UUIDs for DS. This means the interface is not guaranteed to be available.
Switch the ipa_uuid plugin to use the system libuuid plugin instead.
NOTE: This causes once again a change in the tring format used for UUIDs.
fixes: https://fedorahosted.org/freeipa/ticket/465
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/468
|
|
|
|
|
|
|
| |
This should make renamed users able to keep using old credentials as the salt
is not derived from the principal name but is always a random quantity.
https://fedorahosted.org/freeipa/ticket/412
|
| |
|
|
|
|
|
|
|
| |
If a modify operation does not specify our attribute then we need to short
circuit the loop, otherwise on enforcing we will return an error by mistake if
we are not Directory Manager because generate is false if the attr is not
found.
|
| |
|
|
|
|
|
|
|
| |
By setting the enforce flag in the configuration we prevent anyone from storing
arbitrary values and allow only Directory Manager to override the plugin.
Users can only set the value to the magic value (usually 0) to have the uuid
regenerated, and nothing else.
|
|
|
|
|
|
| |
Remove one level of indentation from the main function by jumping
to the end immediately if the configuration list is empty.
Other minor style cleanups.
|
|
|
|
|
| |
This allows the code in the for loop to error out without worrying of
forgetting to unlock the config entries.
|
|
|
|
|
| |
Avoid false positives if more than one uuid attribute is generated
in the same entry.
|
| |
|
| |
|
| |
|
|
|
|
| |
ticket 315
|
| |
|
| |
|
|
|
|
|
| |
Provide simplified logging macros that appropriately use __func__ __FILE__,
__LINE__, or the plugin name depending on the log level.
|
|
|
|
| |
This fixes a har crash when someone tries to fetch a keytab
|
|
|
|
|
|
|
|
| |
This attribute is required for samba to properly identify a user has changed
it's password and doesn't need to change it again at next login.
At the same time, if we are forcing a pssword reset we also need to let samba
know the user must change its password.
|
|
|
|
|
|
| |
Slapi plugins must use mozldap because 389 ds is compiled against that.
ipa_kpasswd, instead, should be linked against openldap.
So always make sure both are available.
|
|
|
|
|
|
| |
We were mistakenly removeing the latest password from the passwordHistory
once the max history values were reached. Make sure we remove the oldest one
instead.
|
|
|
|
| |
Trun tabs into quartets of spaces. Fit lines to not exceed 80 columns.
|
|
|
|
|
|
| |
By default LM hash is disabled.
Of course generation still depends on whether the SamAccount objectclass is
present in the user object.
|
|
|
|
|
|
|
|
|
| |
Use __func__ in log functions instead of the explicit function name
so that if the function need to be renamed later logs reflect the
change automatically w/o the need to change all occurrences.
Also makes a grep for the function name less noisy avoiding tons of
false positives.
|
| |
|
|
|
|
|
|
| |
The plugin was getting difficult to read and maintain.
Split it (and apply cosmetic cleanups to some functions) in smaller
pieces that perform specific tasks.
|
|
|
|
|
|
|
| |
This addresses some problems trying to build on non-Fedora/RHEL
distributions, notably Gentoo and Ubuntu/Debian.
Patch contributed by Ian Kumlien <pomac@vapor.com>
|
|
|
|
| |
ticket #82
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The migration plugin uses a pre-op function to automatically create
kerberos credentials when binding using a password.
The problem is that we do a simple bind when doing password-base
host enrollment. This was causing krbPasswordExpiration to be set
which isn't what we want for hosts. They really shouldn't go through
this code at all.
|
|
|
|
|
|
|
|
| |
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
|
|
|
|
|
|
| |
This was preventing ldappasswd from resetting a password.
471287
|
|
|
|
| |
472332
|
| |
|
| |
|
|
|
|
|
|
| |
them.
Fix bug #528922.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Use a Class of Service template to do per-group password policy. The
design calls for non-overlapping groups but with cospriority we can
still make sense of things.
The password policy entries stored under the REALM are keyed only on
the group name because the MIT ldap plugin can't handle quotes in the
DN. It also can't handle spaces between elements in the DN.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will create a host service principal and may create a host entry (for
admins). A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.
This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
|
| |
|
|
|
|
|
| |
The DS plugin does config checking when adding new entries online so
we are dropping the Posix subtree.
|