krb5.git/src/plugins/kdb/ldap/libkdb_ldap, branch proxymech

Add LDAP back end support for policy extensions

2012-07-30T23:11:34+00:00

ticket: 7223

Remove eDirectory support code in LDAP KDB module

2012-07-29T16:03:44+00:00

Factor out LDAP policy marshalling

2012-07-26T16:25:01+00:00

Use a helper function add_policy_mods() in
krb5_ldap_create_password_policy() and krb5_ldap_put_password_policy()
to avoid duplicating code for each field.

Remove obsolete code in ldap_pwd_policy.c

2012-07-26T15:18:35+00:00

r18750 refactored some policy fetching code into populate_policy(),
and left the old code in #if 0 blocks.  Get rid of those blocks now.

Patch from Richard Basch to work around Solaris 8 lacking isblank()

2012-02-27T18:31:50+00:00

ticket: 7074
target_version: 1.10.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25716 dc483132-0cff-0310-8789-dd5450dbe970

Data-driven ASN.1 decoder

2012-02-11T23:25:25+00:00

Add a general ASN.1 decoder implementation in asn1_encode.c using the
same data structures as the encoder (augmented where necessary), and
use it to define decoder functions in asn1_k_encode.c.  Add a boolean
type to atype_info, as it is needed for the pa_pac_req decoder.  For
the moment, just #if out the old decoder functions; they and their
support code can be cleaned up later after a a few remaining utility
functions are addressed.

Changes to encoder and decoder interfaces are minimized, but there are
two small ones.  ldap_seqof_key_data has a kvno field added, and some
of the decoder logic is pushed up into the caller.  The safe_with_body
decoder now outputs an allocated krb5_data * instead of a krb5_data
with aliases into the input buffer.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25693 dc483132-0cff-0310-8789-dd5450dbe970

Fix failure interval of 0 in LDAP lockout code

2011-11-20T05:19:45+00:00

A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
pass the lockout check (but didn't cause a reset of the failure count
in krb5_ldap_lockout_audit).  It should be treated as forever, as in
the DB2 back end.

This bug is the previously unknown cause of the assertion failure
fixed in CVE-2011-1528.

ticket: 7021
target_version: 1.10
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25480 dc483132-0cff-0310-8789-dd5450dbe970

SA-2011-006 KDC denial of service [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529]

2011-10-18T18:51:35+00:00

Fix null pointer dereference and assertion failure conditions that
could cause a denial of service.

ticket: 6981
target_version: 1.10
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25368 dc483132-0cff-0310-8789-dd5450dbe970

Create e_data as pa_data in KDC interfaces

2011-10-04T20:16:07+00:00

All current known uses of e_data are encoded as pa-data or typed-data.
FAST requires that e_data be expressed as pa-data.  Change the DAL and
kdcpreauth interfaces so that e_data is returned as a sequence of
pa-data elements.  Add a preauth module flag to indicate that the
sequence should be encoded as typed-data in non-FAST errors.

ticket: 6969

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25298 dc483132-0cff-0310-8789-dd5450dbe970

Clean up some ldap #define's

2011-08-10T17:10:37+00:00

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25092 dc483132-0cff-0310-8789-dd5450dbe970