freeipa.git/daemons/ipa-kdb, branch patternfly Unnamed repository; edit this file 'description' to name the repository. Restore krbCanonicalName handling 2014-05-30T07:48:05+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2013-10-07T19:26:21+00:00 16092c39073e6512e897dc671fd22b2b583ea5b5 When an entry has a krbCanonicalName, if KRB5_KDB_FLAG_ALIAS_OK is set, rewrite the principal name to the canonical value, else error out, instead of always returning an error if the requested name doesn't look like the canonical one. https://fedorahosted.org/freeipa/ticket/3966 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
When an entry has a krbCanonicalName, if KRB5_KDB_FLAG_ALIAS_OK is set,
rewrite the principal name to the canonical value, else error out,
instead of always returning an error if the requested name doesn't look
like the canonical one.

https://fedorahosted.org/freeipa/ticket/3966

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Accept any alias, not just the last value 2014-05-30T07:48:05+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2013-10-07T19:24:29+00:00 fabd5cd62f0693c5071ac60131dff2dfe825bff7 If the entry's krbPrincipalName attribute is multi-valued, accept any of the values, not just the last one we happen to examine. https://fedorahosted.org/freeipa/ticket/3966 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
If the entry's krbPrincipalName attribute is multi-valued, accept any of
the values, not just the last one we happen to examine.

https://fedorahosted.org/freeipa/ticket/3966

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
kdb: Don't provide password expiration when using only RADIUS 2014-05-22T14:46:01+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-05-02T18:55:07+00:00 58f8ebf49148172c6f3b1d22bcd7ea0fb3fb21c7 If the KDC doesn't use the FreeIPA password for authentication, then it is futile to provide this information. Doing so will only confuse the user. It also causes password change dialogues when the password is irrelevant. https://fedorahosted.org/freeipa/ticket/4299 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
If the KDC doesn't use the FreeIPA password for authentication, then it is
futile to provide this information. Doing so will only confuse the user. It
also causes password change dialogues when the password is irrelevant.

https://fedorahosted.org/freeipa/ticket/4299

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Avoid passing non-terminated string to is_master_host 2014-03-11T15:55:01+00:00 Martin Kosek mkosek@redhat.com 2014-03-07T09:06:52+00:00 740298d1208e92c264ef5752ac3fe6adf1240790 When string is not terminated, queries with corrupted base may be sent to LDAP: ... cn=ipa1.example.com<garbage>,cn=masters... https://fedorahosted.org/freeipa/ticket/4214 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
When string is not terminated, queries with corrupted base may be sent
to LDAP:

... cn=ipa1.example.com<garbage>,cn=masters...

https://fedorahosted.org/freeipa/ticket/4214

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-kdb: do not fetch client principal if it is the same as existing entry 2014-03-06T11:28:25+00:00 Alexander Bokovoy abokovoy@redhat.com 2014-03-06T08:26:29+00:00 4048d412f2297df6bb483c86cdb61c21a0081f35 When client principal is the same as supplied client entry, don't fetch it again. Note that when client principal is not NULL, client entry might be NULL for cross-realm case, so we need to make sure to not dereference NULL pointer here. Also fix reverted condition for case when we didn't find the client principal in the database, preventing a memory leak. https://fedorahosted.org/freeipa/ticket/4223 Reviewed-By: Sumit Bose <sbose@redhat.com> 
When client principal is the same as supplied client entry, don't fetch it
again.

Note that when client principal is not NULL, client entry might be NULL for
cross-realm case, so we need to make sure to not dereference NULL pointer here.

Also fix reverted condition for case when we didn't find the client principal
in the database, preventing a memory leak.

https://fedorahosted.org/freeipa/ticket/4223

Reviewed-By: Sumit Bose <sbose@redhat.com>
fix filtering of subdomain-based trust users 2014-03-05T09:40:39+00:00 Alexander Bokovoy abokovoy@redhat.com 2014-02-28T20:03:29+00:00 6b45ec3f31773ee7a229d5bb56675badc2d8fd55 https://fedorahosted.org/freeipa/ticket/4207 Reviewed-By: Simo Sorce <ssorce@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4207

Reviewed-By: Simo Sorce <ssorce@redhat.com>
ipa-kdb: make sure we don't produce MS-PAC in case of authdata flag cleared by admin 2014-02-26T13:19:49+00:00 Alexander Bokovoy abokovoy@redhat.com 2014-02-25T18:53:49+00:00 f7955abdda854e58c60b74039bbd155f2dc66e75 When admin clears authdata flag for the service principal, KDC will pass NULL client pointer (service proxy) to the DAL driver. Make sure we bail out correctly. Reviewed-By: Tomáš Babej <tbabej@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
When admin clears authdata flag for the service principal, KDC will pass
NULL client pointer (service proxy) to the DAL driver.

Make sure we bail out correctly.

Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
ipa-kdb: in case of delegation use original client's database entry, not the proxy 2014-02-26T13:19:48+00:00 Alexander Bokovoy abokovoy@redhat.com 2014-02-25T15:50:55+00:00 fb2eca8d1ef5244a6c9701f75cd684e07c2a9d57 https://fedorahosted.org/freeipa/ticket/4195 Reviewed-By: Tomáš Babej <tbabej@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4195

Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Add support to ipa-kdb for keyless principals 2014-02-19T09:15:36+00:00 Nathaniel McCallum nathaniel@themccallums.org 2013-11-12T15:52:51+00:00 b769d1c18678b5eede7505dec7938f6836070044 https://fedorahosted.org/freeipa/ticket/3779 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3779

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-kdb: validate that an OTP user has tokens 2014-02-14T15:03:24+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-02-06T15:56:46+00:00 fd55da9a27f76611b01c38c2741c13652d6a3e60 This handles the case where a user is configured for OTP in ipaUserAuthType, but the user has not yet created any tokens. Until the user creates tokens, the user should still be able to log in via password. This logic already exists in LDAP, but ipa-kdb needs to perform the same validation to know what data to return to the KDC. https://fedorahosted.org/freeipa/ticket/4154 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This handles the case where a user is configured for OTP in ipaUserAuthType,
but the user has not yet created any tokens. Until the user creates tokens,
the user should still be able to log in via password. This logic already
exists in LDAP, but ipa-kdb needs to perform the same validation to know
what data to return to the KDC.

https://fedorahosted.org/freeipa/ticket/4154

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>