krb5.git/src/plugins, branch proxymech Unnamed repository; edit this file 'description' to name the repository. Add reenter gssapi interposer plugin. 2013-01-11T19:31:31+00:00 Günther Deschner gd@samba.org 2013-01-11T12:21:02+00:00 39784e952b1cacf795e18ea036ed1052a1bc677d Once finished, this module is supposed to just reenter into gssapi. 
Once finished, this module is supposed to just reenter into gssapi.
Remove osa_adb_rename_db 2012-09-13T17:00:15+00:00 Greg Hudson ghudson@mit.edu 2012-09-13T17:00:15+00:00 7f8f693a439810569bd869c7b3975f9dd03f4d43 This function wasn't used anywhere. Also remove the declaration for osa_adb_close_policy(), which doesn't exist. 
This function wasn't used anywhere.  Also remove the declaration for
osa_adb_close_policy(), which doesn't exist.
Fix lock inconsistency in ctx_unlock() 2012-09-12T18:49:25+00:00 Nicolas Williams nico@cryptonector.com 2012-09-12T16:36:54+00:00 29ee39baa919361ae08e26caab896890d5cb3eb4 The lock inconsistency fixed here is quite possibly the same as described in https://bugzilla.redhat.com/show_bug.cgi?id=586032 . The problem is that ctx_unlock() fails to unlock the principal DB if it fails to unlock the policy DB, and this happens when ctx_lock() fails to lock the policy DB (likely because the caller is racing against a kdb5_util load, which will be using a "permanent" lock, meaning that the lock file will be unlinked after acquiring the lock). The fix is to perform both unlock operations *then* handle any errors that either or both might have returned. Additionally, we don't really need or want to use non-blocking locks, and we certainly don't want to sleep(1) in krb5kdc (possibly several times, as there was a loop over this) when either of the principal or policy DB is locked. Some callers still request non-blocking locks, and ctx_lock() still honors this. ticket: 7360 (new) 
The lock inconsistency fixed here is quite possibly the same as
described in https://bugzilla.redhat.com/show_bug.cgi?id=586032 .

The problem is that ctx_unlock() fails to unlock the principal DB if
it fails to unlock the policy DB, and this happens when ctx_lock()
fails to lock the policy DB (likely because the caller is racing
against a kdb5_util load, which will be using a "permanent" lock,
meaning that the lock file will be unlinked after acquiring the
lock).  The fix is to perform both unlock operations *then* handle
any errors that either or both might have returned.

Additionally, we don't really need or want to use non-blocking locks,
and we certainly don't want to sleep(1) in krb5kdc (possibly several
times, as there was a loop over this) when either of the principal or
policy DB is locked.  Some callers still request non-blocking locks,
and ctx_lock() still honors this.

ticket: 7360 (new)
Use blocking locks in krb5kdc and libkadm5srv 2012-09-12T18:49:06+00:00 Nicolas Williams nico@cryptonector.com 2012-09-12T02:37:53+00:00 b858e776ece87756202d4c646931d35bd407e3ea We don't really need or want to use non-blocking locks, and we certainly don't want to sleep(1) in krb5kdc (possibly several times, as there was a loop over this) when either of the principal or policy DB is locked. Some callers still request non-blocking locks, and ctx_lock() still honors this. ticket: 7359 (new) 
We don't really need or want to use non-blocking locks, and we certainly
don't want to sleep(1) in krb5kdc (possibly several times, as there was
a loop over this) when either of the principal or policy DB is locked.
Some callers still request non-blocking locks, and ctx_lock() still
honors this.

ticket: 7359 (new)
Run "make depend" 2012-08-23T19:19:30+00:00 Tom Yu tlyu@mit.edu 2012-08-23T19:13:54+00:00 5f9af8663385216c3165a85fb7704cf7a656607f 






Add LDAP back end support for policy extensions
2012-07-30T23:11:34+00:00

Greg Hudson
ghudson@mit.edu

2012-07-27T00:11:55+00:00

5edafa053268fcc021d4f4ec091638efbbaac700

ticket: 7223





ticket: 7223







Policy extensions + new policy: allowed ks types
2012-07-30T23:11:28+00:00

Nicolas Williams
nico@cryptonector.com

2012-07-18T21:27:35+00:00

5829ca2b348974e52a67b553afc7f7491007c33a

This simply adds KADM5_API_VERSION_4 and various fields to the
policy structures:

 - attributes         (policy-ish principal attributes)
 - max_life           (max ticket life)
 - max_renewable_life (max ticket renewable life)
 - allowed_keysalts   (allowed key/salt types)
 - TL data            (future policy extensions)

Of these only allowed_keysalts is currently implemented.

Some refactoring of TL data handling is also done.

ticket: 7223 (new)





This simply adds KADM5_API_VERSION_4 and various fields to the
policy structures:

 - attributes         (policy-ish principal attributes)
 - max_life           (max ticket life)
 - max_renewable_life (max ticket renewable life)
 - allowed_keysalts   (allowed key/salt types)
 - TL data            (future policy extensions)

Of these only allowed_keysalts is currently implemented.

Some refactoring of TL data handling is also done.

ticket: 7223 (new)







Remove eDirectory support code in LDAP KDB module
2012-07-29T16:03:44+00:00

Greg Hudson
ghudson@mit.edu

2012-07-29T16:03:44+00:00

95e9155602651e99c987cf08d52b1dfda9e67fe1












Factor out LDAP policy marshalling
2012-07-26T16:25:01+00:00

Greg Hudson
ghudson@mit.edu

2012-07-26T16:25:01+00:00

9c2e435d02d91018be41a55e0412b9256b40b583

Use a helper function add_policy_mods() in
krb5_ldap_create_password_policy() and krb5_ldap_put_password_policy()
to avoid duplicating code for each field.





Use a helper function add_policy_mods() in
krb5_ldap_create_password_policy() and krb5_ldap_put_password_policy()
to avoid duplicating code for each field.







Remove obsolete code in ldap_pwd_policy.c
2012-07-26T15:18:35+00:00

Greg Hudson
ghudson@mit.edu

2012-07-26T15:18:35+00:00

db318b91b3fe7e30879e37bb16ef9b8852df9ee0

r18750 refactored some policy fetching code into populate_policy(),
and left the old code in #if 0 blocks.  Get rid of those blocks now.





r18750 refactored some policy fetching code into populate_policy(),
and left the old code in #if 0 blocks.  Get rid of those blocks now.