| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
the changepw dn we store so that it won't match. This causes normal password
changes to be interpreted as password resets instead, and the new legit
password is immediately expired.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Addresses bz#471130
Also fix bugs in ipapwd_start.
Also remove mutex, it is not necessary with the current code,
we needed it when we used to change reload the configuration and
keep it referenced in a static pointer.
ipapwd_start runs only once and the global variables it sets are fixed
in stone until DS is restarted.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
The ipa-winsync plugin needs to start before the MMR plugin, so that it
can register the API functions. Also, the slapi-nis schema compat
plugin creates an entry that looks exactly like the default IPA group
gidNumber entry, so I added an extra (objectclass=groupOfNames) to the
filter since the slapi-nis entry doesn't have that.
|
|
|
|
|
|
|
|
|
| |
If a user needs to be enabled, just delete the user from the inactivated group,
but do not add to the activated group. If a user is in no group, the user is
active by default. IPA uses the activated group for override purposes.
parse_acct_disable is only used when the config changes, but I cleaned it
up anyway to make the code clearer.
|
| |
|
| |
|
|
|
|
| |
configuration entry Added support to ipa-replica-manage to add winsync agreements. I mostly used the existing code for setting up replication agreements since replication and winsync are quite similar in their configuration. I just had to add some extra attributes to the sync agreement configuration. The tricky part was importing the Windows CA cert.
|
|
|
|
| |
are debugging within the directory server
|
| |
|
|
|
|
| |
callbacks, and gets default values from various configuration entries in the IPA tree
|
|
|
|
| |
homeDirectory prefix and use that to construct the homeDirectory attribute -lookup attribute containing the default gidNumber and use that to add the gidNumber to new users -construct the gecos field from the cn attribute
|
|
|
|
| |
makefiles, spec file * added stubs for the api, including begin update, end update, and destroy callbacks * added config code to allow dynamic dse config changes and auto-discovery of realm and new user objectclass list
|
| |
|
|
|
|
|
| |
but will allow for changing configurations without having to restart DS.
Password operations are slow and rare enough this is an acceptable compromise.
|
| |
|
|
|
|
| |
does not work as expected and generates faulty keys
|
|
|
|
|
|
|
|
|
|
|
| |
ldap add and modify operation performed on the userPassword attribute.
Add helper functions to reduce code duplication.
Do not enforce encrypted connections on ldap add/ldap mod for compatibility
reasons. (We cannot enforce people not to send the password in the clear
anyway, we can only refuse to accept it at the most which does not gain
you much if someone then re-send you the same password previously exposed)
|
|
|
|
| |
the account Never Expires
|
| |
|
| |
|
|
|
|
| |
452537, 453011, 443241, 439628
|
|
|
|
|
| |
we might segfault trying a direct strcmp(), check they are not NULL.
Also fix a couple of memleaks.
|
|
|
|
| |
unused variables or missing krb5 prototypes.
|
|
|
|
|
| |
one to avoid potential segfaults
Avoid leaking memory too.
|
| |
|
|
|
|
| |
synchronization to work again.
|
|
|
|
| |
against this, ipa-memberof.c needs to be able to use the public api or the private one.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
I've been on a crusade (;-) to remove useless if-before-free tests,
so ran a script that spotted some here. I think I removed the first
batch (without braces) automatically, then manually removed the ones
with curly braces around the free statements.
You may well have doubts about the portability of removing those
tests, but as long as you don't care about SunOS4 or earlier, you'll
be fine. I've done similar things for e.g., coreutils, glibc, and git,
and have had no problems.
|
| |
|
|
|
|
| |
Return also an intelligible error message.
|
|
|
|
| |
Ask for inverse order to get them straight ...
|
|
|
|
|
|
| |
Change config to support a maximum value so that ranges can be defined.
Add stubs to reach out and ask to swap in new ranges and notify that new
chuncks are needed/used.
|
|
|
|
| |
Used indent -kr -nut dna.c for most of the changes
|
|
|
|
|
|
|
|
|
| |
FreeIPA relies on RedHat's Directory Server, which uses mozldap.
A FreeIPA build using mozldap would reduce the project's dependencies and
redundant code. In addition, mozldap uses NSS instead of OpenSSL.
This is beneficial for the reasons listed in [1].
[1] http://fedoraproject.org/wiki/FedoraCryptoConsolidation
|
|
|
|
| |
440474
|
|
|
|
|
|
| |
- don't let a user set a password identical to the current one.
- don't check more then the policy defined number of passwords in history
- don't set an history longer than policy defined
|
|
|
|
| |
has different function names. This was a runtime linker crash bug :/
|
| |
|
|
|
|
|
|
|
|
|
|
| |
is created.
We basically just need to add a check to see if we're to use a group
DN as the memberOf value when performing an operation on itself for
all operation types.
439450
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
values without specifying the values to delete in the memberOf
plug-in. Member entries were not being updated because the code
used the values in the mod to find the member entries to update.
The fix is to detect when a delete modify has no values specified
and just use the replace code since it compares the pre-op and
post-op copies of the group to figure out what member entries to
update.
439097
|
|
|
|
|
|
|
| |
Without this, an entry's memberOf attribute is not updated with
the new group DN when an indirect group is renamed.
This is in bugzilla for FDS as bz 438891.
|
| |
|
|
|
|
| |
Resolves 432140
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Following the changelog history from my dev tree, some comments are useful imo
------------------------------------------------------
user: Simo Sorce <ssorce@redhat.com>
date: Fri Dec 21 03:05:36 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Remove remnants of the initial test tool
changeset: 563:4fe574b7bdf1
user: Simo Sorce <ssorce@redhat.com>
date: Fri Dec 21 02:58:37 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
description:
Maybe actually encrypting the keys will help :-)
changeset: 562:488ded41242a
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:53:50 2007 -0500
files: ipa-server/ipa-install/share/Makefile.am ipa-server/ipa-install/share/default-aci.ldif
description:
Fixes
changeset: 561:4518f6f5ecaf
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:53:32 2007 -0500
files: ipa-admintools/Makefile ipa-admintools/ipa-addservice
description:
transform the old ipa-getkeytab in a tool to add services as the new
ipa-getkeytab won't do it (and IMO it makes more sense to keep the
two functions separate anyway).
changeset: 559:25a7f8ee973d
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:48:59 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
description:
Bugfixes
changeset: 558:28fcabe4aeba
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:48:29 2007 -0500
files: ipa-client/configure.ac ipa-client/ipa-client.spec ipa-client/ipa-client.spec.in ipa-client/ipa-getkeytab.c
description:
Configure fixes
Add ipa-getkeytab to spec
Client fixes
changeset: 557:e92a4ffdcda4
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 20:57:10 2007 -0500
files: ipa-client/Makefile.am ipa-client/configure.ac
description:
Try to make ipa-getkeytab build via autotools
changeset: 556:224894175d6b
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 20:35:56 2007 -0500
files: ipa-admintools/ipa-getkeytab ipa-client/ipa-getkeytab.c
description:
Messed a bit with hg commands.
To make it short:
- Remove the python ipa-getkeytab program
- Rename the keytab plugin test program to ipa-getkeytab
- Put the program in ipa-client as it should be distributed with the client
tools
changeset: 555:5e1a068f2e90
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 20:20:40 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Polish the client program
changeset: 554:0a5b19a167cf
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 18:53:49 2007 -0500
files: ipa-server/ipa-install/share/default-aci.ldif ipa-server/ipa-install/share/default-keytypes.ldif ipa-server/ipa-install/share/kdc.conf.template ipa-server/ipa-install/share/kerberos.ldif ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c ipa-server/ipaserver/krbinstance.py
description:
Support retrieving enctypes from LDAP
Filter enctypes
Update test program
changeset: 553:f75d7886cb91
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 00:17:40 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Fix ber generation and remove redundant keys
changeset: 552:0769cafe6dcd
user: Simo Sorce <ssorce@redhat.com>
date: Wed Dec 19 19:31:37 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Avoid stupid segfault
changeset: 551:1acd5fdb5788
user: Simo Sorce <ssorce@redhat.com>
date: Wed Dec 19 18:39:12 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
description:
If ber_peek_tag() returns LBER_ERROR it may just be that we are at the
end of the buffer. Unfortunately ber_scanf is broken in the sense that
it doesn't actually really consider sequence endings (due probably to the fact
they are just representation and do not reflect in the underlieing DER
encoding.)
changeset: 550:e974fb2726a4
user: Simo Sorce <ssorce@redhat.com>
date: Wed Dec 19 18:35:07 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
First shot at the new method
|
|
|
|
| |
and LM hashes.
|