summaryrefslogtreecommitdiffstats
path: root/src/providers/krb5
Commit message (Collapse)AuthorAgeFilesLines
* Handle trailing slash in the ccname templateJakub Hrozek2012-06-141-8/+14
| | | | | | With the DIR cache support, it's perfectly legal to specify a ccname directory that ends with a slash. The create_dir function did not handle that situation correctly.
* Split parse_krb5_child_response so it can be reusedJakub Hrozek2012-06-143-119/+170
| | | | | krb5-child-test will be another consumer. It also makes the code more readable by splitting a huge function.
* Allow redefining the KRB5_CHILD pathJakub Hrozek2012-06-141-3/+7
| | | | | The krb5-child-test will want to run the child from the current directory.
* Provide more debugging in krb5_child and ldap_childJakub Hrozek2012-06-141-13/+65
| | | | https://fedorahosted.org/sssd/ticket/1225
* Two small krb5_child fixesJakub Hrozek2012-06-141-3/+10
| | | | | * Allocation check was missing * a DEBUG statement overwrote errno
* added DEBUG messages to krb5_child and ldap_childNick Guay2012-05-311-3/+12
|
* Only reset kpasswd server status when performing a chpass operationJakub Hrozek2012-05-071-2/+3
| | | | https://fedorahosted.org/sssd/ticket/1316
* Limit krb5_get_init_creds_keytab() to etypes in keytabStef Walter2012-05-071-0/+21
| | | | | | | | | * Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
* Remove erroneous failure message in find_principal_in_keytabStef Walter2012-05-071-1/+3
| | | | | * When it's actually a failure, then the callers will print a message. Fine tune this.
* If canon'ing principals, write ccache with updated default principalStef Walter2012-05-041-2/+6
| | | | | | | | | | | * When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
* Modify behavior of pam_pwd_expiration_warningJan Zeleny2012-05-041-4/+27
| | | | | | | | | | | | | | | | | | New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
* Convert read and write operations to sss_atomic_readJakub Hrozek2012-04-202-46/+31
| | | | https://fedorahosted.org/sssd/ticket/1209
* Clean up log messages about keytab_nameStephen Gallagher2012-04-051-2/+4
| | | | | | | | | There were many places where we were printing (null) to the logs because a NULL keytab name tells libkrb5 to use its configured default instead of a particular path. This patch should clean up all uses of this to print "default" in the logs. https://fedorahosted.org/sssd/ticket/1288
* Add terminator for dp_optionStephen Gallagher2012-03-281-1/+2
|
* Put dp_option maps in their own fileStephen Gallagher2012-03-282-18/+47
| | | | There is no functional change due to this patch.
* Detect cycle in the fail over on subsequent resolve requests onlyJakub Hrozek2012-03-081-17/+15
|
* krb5_child: set debugging soonerJakub Hrozek2012-03-061-12/+18
|
* Only do one cycle when resolving a serverJakub Hrozek2012-03-061-7/+12
| | | | https://fedorahosted.org/sssd/ticket/1214
* IPA: Set the DNS discovery domain to match ipa_domainStephen Gallagher2012-03-011-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1217
* KRB5: Add syslog messages for Kerberos failuresStephen Gallagher2012-01-311-0/+1
| | | | https://fedorahosted.org/sssd/ticket/1137
* Do not call krb5_child when changing passwords and provider went offlineJakub Hrozek2012-01-061-1/+11
| | | | https://fedorahosted.org/sssd/ticket/1131
* Add compatibility layer for Heimdal Kerberos implementationStephen Gallagher2011-12-222-8/+12
|
* Honor case sensitive flag when creating the ccname templateJakub Hrozek2011-12-213-5/+17
|
* Securely set umask when using mkstempStephen Gallagher2011-12-192-0/+6
| | | | Coverity 12394, 12395, 12396, 12397 and 12398
* Move child_common routines to utilStephen Gallagher2011-12-195-5/+5
|
* Set more strict permissions on keyringSimo Sorce2011-11-221-1/+1
| | | | | We want to confine access to the keyring to the current process and not let root easily peek into the keyring contents.
* Fixed unchecked value of setenv() in check_and_export_options()Jan Zeleny2011-11-221-2/+5
| | | | https://fedorahosted.org/sssd/ticket/1080
* Cleanup: Remove unused parametersJakub Hrozek2011-11-221-7/+2
|
* Add support to request canonicalization on krb AS requestsJan Zeleny2011-11-023-1/+25
| | | | https://fedorahosted.org/sssd/ticket/957
* Multiline macro cleanupJakub Hrozek2011-09-281-1/+1
| | | | | | | | | | This is mostly a cosmetic patch. The purpose of wrapping a multi-line macro in a do { } while(0) is to make the macro usable as a regular statement, not a compound statement. When the while(0) is terminated with a semicolon, the do { } while(0); block becomes a compound statement again.
* DEBUG timestamps offer higher precisionPavel Březina2011-09-081-0/+2
| | | | | | | https://fedorahosted.org/sssd/ticket/956 Added: --debug-microseconds=0/1 Added: debug_microseconds to sssd.conf
* New DEBUG facility - SSSDBG_UNRESOLVED changed from -1 to 0Pavel Březina2011-08-251-1/+3
| | | | | | | | | | | | | | | | | | | | | Removed: SSS_UNRESOLVED_DEBUG_LEVEL (completely replaced with SSSDBG_UNRESOLVED) Added new macro: CONVERT_AND_SET_DEBUG_LEVEL(new_value) Changes unresolved debug level value (SSSDBG_UNRESOLVED) from -1 to 0 so DEBUG macro could be reduced by one condition. Anyway, it has a minor effect, every time you want to load debug_level from command line parameters, you have to use following pattern: /* Set debug level to invalid value so we can deside if -d 0 was used. */ debug_level = SSSDBG_INVALID; pc = poptGetContext(argv[0], argc, argv, long_options, 0); while((opt = poptGetNextOpt(pc)) != -1) { ... } CONVERT_AND_SET_DEBUG_LEVEL(debug_level);
* New DEBUG facility - conversionPavel Březina2011-08-251-0/+2
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/925 Conversion of the old debug_level format to the new one. (only where it was necessary) Removed: SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)
* sysdb refactoring: memory context deletedJan Zeleny2011-08-151-4/+3
| | | | | | This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.
* sysdb refactoring: deleted domain variables in sysdb APIJan Zeleny2011-08-153-13/+10
| | | | | The patch also updates code using modified functions. Tests have also been adjusted.
* Rename fo_get_server_name to fo_get_server_str_nameJakub Hrozek2011-07-211-1/+1
|
* Remove unused krb5_service structure memberJakub Hrozek2011-07-132-5/+1
|
* Escape IP address in kdcinfoJakub Hrozek2011-07-111-4/+26
| | | | https://fedorahosted.org/sssd/ticket/909
* Switch resolver to using resolv_hostent and honor TTLJakub Hrozek2011-06-151-1/+1
|
* Fix two typosSumit Bose2011-06-151-2/+3
|
* Delete cached ccache file if password is expiredSumit Bose2011-06-151-8/+63
|
* Add utility function to return IP address as stringJakub Hrozek2011-06-021-9/+2
|
* Add online callback only once for TGT renewalSumit Bose2011-06-021-25/+44
|
* Rename label in expand_ccname_templateJakub Hrozek2011-05-201-17/+17
| | | | The label was named fail but used also in success cases.
* Use a temporary memory context in expand_ccname_templateJakub Hrozek2011-05-121-20/+33
|
* Added some kerberos functions for building on RHEL5Jan Zeleny2011-05-051-2/+2
|
* Do not leak pcre contextJakub Hrozek2011-05-041-0/+12
|
* Return pam data to the renewal item if renewal failsSumit Bose2011-05-021-4/+9
| | | | | | | | | A previous patch changed a talloc_steal() into a talloc_move(). Now it is not enough to change the parent memory context with talloc_steal to give back the data, but it has to be assigned back too. Additionally this patch uses the missing pam data as an indication that a renewal request for this data is currently running.
* Fix bad password caching when using automatic TGT renewalStephen Gallagher2011-04-291-3/+12
| | | | Fixes CVE-2011-1758, https://fedorahosted.org/sssd/ticket/856
* Allow new option to specify principal for FASTJan Zeleny2011-04-253-4/+55
| | | | https://fedorahosted.org/sssd/ticket/700
generated by cgit (git 2.34.1) at 2024-06-08 17:46:35 +0000