summaryrefslogtreecommitdiffstats
path: root/util/ipa_krb5.h
Commit message (Collapse)AuthorAgeFilesLines
* ipa-getkeytab: Add support for get_keytab extopSimo Sorce2014-06-261-0/+3
| | | | | | | | | | | | This new extended operation is tried by default and then the code falls back to the old method if it fails. The new method allows for server side password generation as well as retrieval of existing credentials w/o causing regeneration of keys on the server. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* keytab: Add new extended operation to get a keytab.Simo Sorce2014-06-261-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | This new extended operation allow to create new keys or retrieve existing ones. The new set of keys is returned as a ASN.1 structure similar to the one that is passed in by the 'set keytab' extended operation. Access to the operation is regulated through a new special ACI that allows 'retrieval' only if the user has access to an attribute named ipaProtectedOperation postfixed by the subtypes 'read_keys' and 'write_keys' to distinguish between creation and retrieval operation. For example for allowing retrieval by a specific user the following ACI is set on cn=accounts: (targetattr="ipaProtectedOperation;read_keys") ... ... userattr=ipaAllowedToPerform;read_keys#USERDN) This ACI matches only if the service object hosts a new attribute named ipaAllowedToPerform that holds the DN of the user attempting the operation. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Move code into common krb5 utilsSimo Sorce2012-07-301-0/+2
| | | | | | | | This moves the decoding function that reads the keys from the ber format into a structure in the common krb5 util code right below the function that encodes the same data structure into a ber format. This way the 2 functions are in the same place and can be both used by all ia components.
* Move some krb5 keys related functions from ipa-client to utilSumit Bose2012-06-111-0/+36
|
* ipa-kdb: implement change_pwd functionSimo Sorce2011-08-261-0/+4
|
* ipa-pwd-extop: make encsalt parsing function commonSimo Sorce2011-08-261-0/+6
| | | | It is going to be used by the ipa-kdb module too.
* ipa-pwd-extop: Move encoding in common tooSimo Sorce2011-08-261-0/+4
| | | | Also to be used by ipa-kdb
* ipa-pwd-extop: Move encryption of keys in commonSimo Sorce2011-08-261-3/+16
| | | | This way we can reuse the same code from ipa-kdb later
* Use internal implementation of internal Kerberos functionsJakub Hrozek2010-11-221-0/+12
Don't use KRB5_PRIVATE. The patch implements and uses the following krb5 functions that are otherwise private in recent MIT Kerberos releases: * krb5_principal2salt_norealm * krb5_free_ktypes Signed-off-by: Simo Sorce <ssorce@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-27 07:47:51 +0000