freeipa.git, branch master Unnamed repository; edit this file 'description' to name the repository. Add TOTP watermark support 2014-07-25T08:41:17+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-07-11T16:29:58+00:00 d3638438fce1a9d1e07c2be3b8f43befb07a6b40 This prevents the reuse of TOTP tokens by recording the last token interval that was used. This will be replicated as normal. However, this patch does not increase the number of writes to the database in the standard authentication case. This is because it also eliminates an unnecessary write during authentication. Hence, this patch should be write-load neutral with the existing code. Further performance enhancement is desired, but is outside the scope of this patch. https://fedorahosted.org/freeipa/ticket/4410 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This prevents the reuse of TOTP tokens by recording the last token
interval that was used. This will be replicated as normal. However,
this patch does not increase the number of writes to the database
in the standard authentication case. This is because it also
eliminates an unnecessary write during authentication. Hence, this
patch should be write-load neutral with the existing code.

Further performance enhancement is desired, but is outside the
scope of this patch.

https://fedorahosted.org/freeipa/ticket/4410

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Allow hashed passwords in DS 2014-07-25T08:36:47+00:00 Martin Kosek mkosek@redhat.com 2014-07-23T11:03:57+00:00 15eb343b9c235a1ca3a6cc48f730590949d439ec Without nsslapd-allow-hashed-passwords being turned on, user password migration fails. https://fedorahosted.org/freeipa/ticket/4450 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Without nsslapd-allow-hashed-passwords being turned on, user password
migration fails.

https://fedorahosted.org/freeipa/ticket/4450

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix ipa-getkeytab for pre-4.0 servers 2014-07-25T06:22:46+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-07-24T13:50:57+00:00 96986056f65beb120cd74a311524b6601383ee80 Also, make the error messages for this fallback case less scary and clean up some indentation issues in the nearby code which made this code difficult to read. https://fedorahosted.org/freeipa/ticket/4446 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Also, make the error messages for this fallback case less scary and
clean up some indentation issues in the nearby code which made this
code difficult to read.

https://fedorahosted.org/freeipa/ticket/4446

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Improve password validity check. 2014-07-24T12:22:40+00:00 David Kupka dkupka@redhat.com 2014-07-24T11:32:37+00:00 603842867c65ae93d74a7c453c4301073c998441 Allow use of characters that no longer cause troubles. Check for leading and trailing characters in case of 389 Direcory Manager password. Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Allow use of characters that no longer cause troubles. Check for
leading and trailing characters in case of 389 Direcory Manager password.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Do not require dogtag-pki-server-theme 2014-07-24T11:57:24+00:00 Martin Kosek mkosek@redhat.com 2014-07-23T14:35:13+00:00 1026a6387cd392994ec996db53141d16dfcbee29 Theme package is contains resources for PKI web interface. This interface is not needed by FreeIPA as it rather utilizes it's API. As recommended in https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard dependency. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Theme package is contains resources for PKI web interface. This interface
is not needed by FreeIPA as it rather utilizes it's API. As recommended in
https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard
dependency.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
baseldap: Remove redundant search from LDAPAddReverseMember and LDAPRemoveReverseMember 2014-07-23T13:12:30+00:00 Tomas Babej tbabej@redhat.com 2014-07-23T12:36:42+00:00 3812ca03f21ef637a1d746298ad3244f07838554 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Always record that pkicreate has been executed. 2014-07-22T07:03:56+00:00 David Kupka dkupka@redhat.com 2014-07-21T13:57:18+00:00 41b057e38757c0acf1d600245269851f532df389 Record that pkicreate/pkispawn has been executed to allow cleanup even if the installation did not finish correctly. https://fedorahosted.org/freeipa/ticket/2796 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Record that pkicreate/pkispawn has been executed to allow cleanup even if the
installation did not finish correctly.

https://fedorahosted.org/freeipa/ticket/2796

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Update freeipa-server krb5-server dependency to 1.11.5-5 2014-07-22T06:35:40+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-07-21T16:32:03+00:00 53c8efe62f5de1bd48fbdf7bef3fa31debe81de3 Previous versions of libkrb5 can't handle expired passwords inside the FAST tunnel. This breaks the password change UI in FreeIPA. Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Previous versions of libkrb5 can't handle expired passwords
inside the FAST tunnel. This breaks the password change UI
in FreeIPA.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Fix login password expiration detection with OTP 2014-07-21T14:36:28+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-07-14T18:39:00+00:00 e4771302812388cc7f9773ce48d0bc3b34855248 The preexisting code would execute two steps. First, it would perform a kinit. If the kinit failed, it would attempt to bind using the same credentials to determine if the password were expired. While this method is fairly ugly, it mostly worked in the past. However, with OTP this breaks. This is because the OTP code is consumed by the kinit step. But because the password is expired, the kinit step fails. When the bind is executed, the OTP token is already consumed, so bind fails. This causes all password expirations to be reported as invalid credentials. After discussion with MIT, the best way to handle this case with the standard tools is to set LC_ALL=C and check the output from the command. This eliminates the bind step altogether. The end result is that OTP works and all password failures are more performant. https://fedorahosted.org/freeipa/ticket/4412 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
The preexisting code would execute two steps. First, it would perform a kinit.
If the kinit failed, it would attempt to bind using the same credentials to
determine if the password were expired. While this method is fairly ugly, it
mostly worked in the past.

However, with OTP this breaks. This is because the OTP code is consumed by
the kinit step. But because the password is expired, the kinit step fails.
When the bind is executed, the OTP token is already consumed, so bind fails.
This causes all password expirations to be reported as invalid credentials.

After discussion with MIT, the best way to handle this case with the standard
tools is to set LC_ALL=C and check the output from the command. This
eliminates the bind step altogether. The end result is that OTP works and
all password failures are more performant.

https://fedorahosted.org/freeipa/ticket/4412

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
webui: fix disabled state of service's PAC type 2014-07-21T10:39:16+00:00 Petr Vobornik pvoborni@redhat.com 2014-07-10T10:02:51+00:00 ad593a5c06d447006f14446cbdfbf5b437a0d111 Nested options (MS-PAC and PAD) of service's PAC type should be disabled if no value is supplied (default value is "Inherited from server configuration"). That was not the case - regression. This patch fixes it and along with it simplifies the update method of option_widget_base to be more comprehensible. Reviewed-By: Endi Sukma Dewata <edewata@redhat.com> 
Nested options (MS-PAC and PAD) of service's PAC type should be
disabled if no value is supplied (default value is "Inherited
from server configuration"). That was not the case - regression.

This patch fixes it and along with it simplifies the update method
of option_widget_base to be more comprehensible.

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>