freeipa.git/daemons, branch patternfly Unnamed repository; edit this file 'description' to name the repository. Restore krbCanonicalName handling 2014-05-30T07:48:05+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2013-10-07T19:26:21+00:00 16092c39073e6512e897dc671fd22b2b583ea5b5 When an entry has a krbCanonicalName, if KRB5_KDB_FLAG_ALIAS_OK is set, rewrite the principal name to the canonical value, else error out, instead of always returning an error if the requested name doesn't look like the canonical one. https://fedorahosted.org/freeipa/ticket/3966 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
When an entry has a krbCanonicalName, if KRB5_KDB_FLAG_ALIAS_OK is set,
rewrite the principal name to the canonical value, else error out,
instead of always returning an error if the requested name doesn't look
like the canonical one.

https://fedorahosted.org/freeipa/ticket/3966

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Accept any alias, not just the last value 2014-05-30T07:48:05+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2013-10-07T19:24:29+00:00 fabd5cd62f0693c5071ac60131dff2dfe825bff7 If the entry's krbPrincipalName attribute is multi-valued, accept any of the values, not just the last one we happen to examine. https://fedorahosted.org/freeipa/ticket/3966 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
If the entry's krbPrincipalName attribute is multi-valued, accept any of
the values, not just the last one we happen to examine.

https://fedorahosted.org/freeipa/ticket/3966

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
kdb: Don't provide password expiration when using only RADIUS 2014-05-22T14:46:01+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-05-02T18:55:07+00:00 58f8ebf49148172c6f3b1d22bcd7ea0fb3fb21c7 If the KDC doesn't use the FreeIPA password for authentication, then it is futile to provide this information. Doing so will only confuse the user. It also causes password change dialogues when the password is irrelevant. https://fedorahosted.org/freeipa/ticket/4299 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
If the KDC doesn't use the FreeIPA password for authentication, then it is
futile to provide this information. Doing so will only confuse the user. It
also causes password change dialogues when the password is irrelevant.

https://fedorahosted.org/freeipa/ticket/4299

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-pwd-extop: Deny LDAP binds for accounts with expired principals 2014-05-05T15:50:01+00:00 Tomas Babej tbabej@redhat.com 2014-04-01T10:41:16+00:00 5d78cdf80951748f5f954a69c41a2a2cb1b84812 Adds a check for krbprincipalexpiration attribute to pre_bind operation in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is denied and LDAP_UNWILLING_TO_PERFORM along with the error message is sent back to the client. Since krbprincipalexpiration attribute is not mandatory, if there is no value set, the check is passed. https://fedorahosted.org/freeipa/ticket/3305 Reviewed-By: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Adds a check for krbprincipalexpiration attribute to pre_bind operation
in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is
denied and LDAP_UNWILLING_TO_PERFORM along with the error message is
sent back to the client. Since krbprincipalexpiration attribute is not
mandatory, if there is no value set, the check is passed.

https://fedorahosted.org/freeipa/ticket/3305

Reviewed-By: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa_range_check: Change range_check return values from int to range_check_result_t enum 2014-04-23T11:18:41+00:00 Tomas Babej tbabej@redhat.com 2014-04-22T10:34:12+00:00 5e5d4818a1d9a4422b28f445fbac2e1daa513e82 Using integers for return values that are used for complex casing can be fragile and typo-prone. Change range_check function to return range_check_result_t enum, whose values properly describes each of the range_check results. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Using integers for return values that are used for complex casing can be fragile
and typo-prone. Change range_check function to return range_check_result_t enum,
whose values properly describes each of the range_check results.

Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Martin Kosek <mkosek@redhat.com>
ipa_range_check: Fix typo when comparing strings using strcasecmp 2014-04-23T11:16:35+00:00 Tomas Babej tbabej@redhat.com 2014-04-16T15:28:34+00:00 91d68864d1b59cfc30fa68303f2f664d2e2368bf Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa_range_check: Do not fail when no trusted domain is available 2014-04-23T11:16:35+00:00 Tomas Babej tbabej@redhat.com 2014-04-16T15:26:07+00:00 6c8b40afb57ebd1b062b33db7a2639b9c112d8ed When building the domain to forest root map, we need to take the case of IPA server having no trusted domains configured at all. Do not abort the checks, but return an empty map instead. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
When building the domain to forest root map, we need to take the case
of IPA server having no trusted domains configured at all. Do not abort
the checks, but return an empty map instead.

Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa_range_check: Make a new copy of forest_root_id attribute for range_info struct 2014-04-23T11:16:34+00:00 Tomas Babej tbabej@redhat.com 2014-04-16T15:22:46+00:00 246e722b4fb9a3a33c650cf536d2b0f51a1923b7 Not making a new copy of this attribute creates multiple frees caused by multiple pointers to the same forest_root_id from all the range_info structs for all the domains belonging to given forest. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Not making a new copy of this attribute creates multiple frees caused by multiple
pointers to the same forest_root_id from all the range_info structs for all the
domains belonging to given forest.

Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa_range_check: Connect the new node of the linked list 2014-04-23T11:16:34+00:00 Tomas Babej tbabej@redhat.com 2014-04-16T15:20:55+00:00 2c4d41221a7208e8e4d53ec85f24fe8a1da711dd Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa_range_check: Use special attributes to determine presence of RID bases 2014-04-23T11:16:34+00:00 Tomas Babej tbabej@redhat.com 2014-04-16T15:15:55+00:00 2011392246cda7eb9449f8a0ae239ded3d7d5dd4 The slapi_entry_attr_get_ulong which is used to get value of the RID base attributes returns 0 in case the attribute is not set at all. We need to distinguish this situation from the situation where RID base attributes are present, but deliberately set to 0. Otherwise this can cause false negative results of checks in the range_check plugin. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
The slapi_entry_attr_get_ulong which is used to get value of the RID base
attributes returns 0 in case the attribute is not set at all. We need
to distinguish this situation from the situation where RID base attributes
are present, but deliberately set to 0.

Otherwise this can cause false negative results of checks in the range_check
plugin.

Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>