freeipa.git/daemons/ipa-slapi-plugins, branch master Unnamed repository; edit this file 'description' to name the repository. Add TOTP watermark support 2014-07-25T08:41:17+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-07-11T16:29:58+00:00 d3638438fce1a9d1e07c2be3b8f43befb07a6b40 This prevents the reuse of TOTP tokens by recording the last token interval that was used. This will be replicated as normal. However, this patch does not increase the number of writes to the database in the standard authentication case. This is because it also eliminates an unnecessary write during authentication. Hence, this patch should be write-load neutral with the existing code. Further performance enhancement is desired, but is outside the scope of this patch. https://fedorahosted.org/freeipa/ticket/4410 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This prevents the reuse of TOTP tokens by recording the last token
interval that was used. This will be replicated as normal. However,
this patch does not increase the number of writes to the database
in the standard authentication case. This is because it also
eliminates an unnecessary write during authentication. Hence, this
patch should be write-load neutral with the existing code.

Further performance enhancement is desired, but is outside the
scope of this patch.

https://fedorahosted.org/freeipa/ticket/4410

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add missing break 2014-07-14T14:28:59+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-07-12T16:28:38+00:00 d1d253637535017fdf82aa833df742bb418bbf65 Wrong error message would be used for in case of RANGE_CHECK_DIFFERENT_TYPE_IN_DOMAIN. Missing break will cause fall through to the default section. Reviewed-By: Tomas Babej <tbabej@redhat.com> 
Wrong error message would be used for in case of
RANGE_CHECK_DIFFERENT_TYPE_IN_DOMAIN. Missing break will cause fall through to
the default section.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Fix getkeytab code to always use implicit tagging. 2014-06-27T08:03:23+00:00 Simo Sorce simo@redhat.com 2014-06-26T15:43:47+00:00 d9d5967f7e1a11d77dee4bba00f10763b8ac2ec5 A mixture of implicit and explicit tagging was being used and this caused a bug in retrieving the enctype number due to the way ber_scanf() loosely treat sequences and explicit tagging. The ASN.1 notation used to describe the getkeytab operation uses implicit tagging, so by changing the code we simply follow to the specified encoding. Resolves: https://fedorahosted.org/freeipa/ticket/4404 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
A mixture of implicit and explicit tagging was being used and this caused
a bug in retrieving the enctype number due to the way ber_scanf() loosely
treat sequences and explicit tagging.

The ASN.1 notation used to describe the getkeytab operation uses implicit
tagging, so by changing the code we simply follow to the specified encoding.

Resolves: https://fedorahosted.org/freeipa/ticket/4404

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
keytab: Add new extended operation to get a keytab. 2014-06-26T08:30:53+00:00 Simo Sorce simo@redhat.com 2013-09-17T04:30:14+00:00 5c0e7a5fb420377dcc06a956695afdcb35196444 This new extended operation allow to create new keys or retrieve existing ones. The new set of keys is returned as a ASN.1 structure similar to the one that is passed in by the 'set keytab' extended operation. Access to the operation is regulated through a new special ACI that allows 'retrieval' only if the user has access to an attribute named ipaProtectedOperation postfixed by the subtypes 'read_keys' and 'write_keys' to distinguish between creation and retrieval operation. For example for allowing retrieval by a specific user the following ACI is set on cn=accounts: (targetattr="ipaProtectedOperation;read_keys") ... ... userattr=ipaAllowedToPerform;read_keys#USERDN) This ACI matches only if the service object hosts a new attribute named ipaAllowedToPerform that holds the DN of the user attempting the operation. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
keytabs: Expose and modify key encoding function 2014-06-26T08:30:53+00:00 Simo Sorce simo@redhat.com 2013-09-17T04:28:32+00:00 88bcf5899c3bd12b05d017436df0fc1374c954a5 Make it available outside of the encoding.c file for use in a follow-up patch. Add option to not pass a password and generate a random key instead. Related: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
Make it available outside of the encoding.c file for use in a follow-up
patch. Add option to not pass a password and generate a random key
instead.

Related:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
keytabs: Modularize setkeytab operation 2014-06-26T08:30:53+00:00 Simo Sorce simo@redhat.com 2013-09-17T04:25:14+00:00 d04746cdea312eb630e6466162c322593187ab8b In preparation of adding another function to avoid code duplication. Related: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
In preparation of adding another function to avoid code duplication.

Related:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Change OTPSyncRequest structure to use OctetString 2014-06-25T12:22:01+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-05-23T17:01:59+00:00 7b15fcd57b06482be36e95e50cbec596777955b4 This change has two motivations: 1. Clients don't have to parse the string. 2. Future token types may have new formats. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This change has two motivations:
  1. Clients don't have to parse the string.
  2. Future token types may have new formats.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Revert "Check for password expiration in pre-bind" 2014-06-10T06:42:03+00:00 Martin Kosek mkosek@redhat.com 2014-06-10T06:42:03+00:00 c41b782bc59cd0cb70cbd62d543f9c538109d410 This reverts commit bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6. Forceful validation of password expiration date in a BIND pre-callback breaks LDAP password change extended operation as the password change is only allowed via authenticated (bound) channel. Passwords could be only changed via kadmin protocol. This change would thus break LDAP-only clients and Web UI password change hook. This patch will need to be revisited so that unauthenicated corner cases are also revisited. https://fedorahosted.org/freeipa/ticket/1539 
This reverts commit bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6.

Forceful validation of password expiration date in a BIND pre-callback
breaks LDAP password change extended operation as the password change
is only allowed via authenticated (bound) channel. Passwords could be
only changed via kadmin protocol. This change would thus break
LDAP-only clients and Web UI password change hook.

This patch will need to be revisited so that unauthenicated corner
cases are also revisited.

https://fedorahosted.org/freeipa/ticket/1539
Check for password expiration in pre-bind 2014-06-09T06:18:16+00:00 Simo Sorce simo@redhat.com 2013-05-09T18:25:14+00:00 bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6 If the password is expired fail a password bind. Resolves: https://fedorahosted.org/freeipa/ticket/1539 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
If the password is expired fail a password bind.

Resolves: https://fedorahosted.org/freeipa/ticket/1539
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
ipa-pwd-extop: Deny LDAP binds for accounts with expired principals 2014-05-05T15:50:01+00:00 Tomas Babej tbabej@redhat.com 2014-04-01T10:41:16+00:00 5d78cdf80951748f5f954a69c41a2a2cb1b84812 Adds a check for krbprincipalexpiration attribute to pre_bind operation in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is denied and LDAP_UNWILLING_TO_PERFORM along with the error message is sent back to the client. Since krbprincipalexpiration attribute is not mandatory, if there is no value set, the check is passed. https://fedorahosted.org/freeipa/ticket/3305 Reviewed-By: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Adds a check for krbprincipalexpiration attribute to pre_bind operation
in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is
denied and LDAP_UNWILLING_TO_PERFORM along with the error message is
sent back to the client. Since krbprincipalexpiration attribute is not
mandatory, if there is no value set, the check is passed.

https://fedorahosted.org/freeipa/ticket/3305

Reviewed-By: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>