freeipa.git/util, branch master Unnamed repository; edit this file 'description' to name the repository. ipa-getkeytab: Add support for get_keytab extop 2014-06-26T08:30:53+00:00 Simo Sorce simo@redhat.com 2013-09-19T16:50:35+00:00 f352702d6785fc5f59698dba73d415f994b4ce7d This new extended operation is tried by default and then the code falls back to the old method if it fails. The new method allows for server side password generation as well as retrieval of existing credentials w/o causing regeneration of keys on the server. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
This new extended operation is tried by default and then the code falls
back to the old method if it fails. The new method allows for server
side password generation as well as retrieval of existing credentials
w/o causing regeneration of keys on the server.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
keytab: Add new extended operation to get a keytab. 2014-06-26T08:30:53+00:00 Simo Sorce simo@redhat.com 2013-09-17T04:30:14+00:00 5c0e7a5fb420377dcc06a956695afdcb35196444 This new extended operation allow to create new keys or retrieve existing ones. The new set of keys is returned as a ASN.1 structure similar to the one that is passed in by the 'set keytab' extended operation. Access to the operation is regulated through a new special ACI that allows 'retrieval' only if the user has access to an attribute named ipaProtectedOperation postfixed by the subtypes 'read_keys' and 'write_keys' to distinguish between creation and retrieval operation. For example for allowing retrieval by a specific user the following ACI is set on cn=accounts: (targetattr="ipaProtectedOperation;read_keys") ... ... userattr=ipaAllowedToPerform;read_keys#USERDN) This ACI matches only if the service object hosts a new attribute named ipaAllowedToPerform that holds the DN of the user attempting the operation. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
keytabs: Expose and modify key encoding function 2014-06-26T08:30:53+00:00 Simo Sorce simo@redhat.com 2013-09-17T04:28:32+00:00 88bcf5899c3bd12b05d017436df0fc1374c954a5 Make it available outside of the encoding.c file for use in a follow-up patch. Add option to not pass a password and generate a random key instead. Related: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
Make it available outside of the encoding.c file for use in a follow-up
patch. Add option to not pass a password and generate a random key
instead.

Related:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Add support to ipa-kdb for keyless principals 2014-02-19T09:15:36+00:00 Nathaniel McCallum nathaniel@themccallums.org 2013-11-12T15:52:51+00:00 b769d1c18678b5eede7505dec7938f6836070044 https://fedorahosted.org/freeipa/ticket/3779 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3779

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
BUILD: Fix portability of NSS in file ipa_pwd.c 2014-01-28T15:35:34+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-01-28T15:35:34+00:00 a4faa2f444f42644e6565675999d0db360716db0 Tested-by: Timo Aaltonen <tjaalton@ubuntu.com> 
Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
Remove generation and handling of LM hashes 2013-11-01T08:28:35+00:00 Sumit Bose sbose@redhat.com 2013-10-29T11:19:01+00:00 d876a22732d83ddf8e37ead89e6f23bf7aa0d69c https://fedorahosted.org/freeipa/ticket/3795 
https://fedorahosted.org/freeipa/ticket/3795
ipa-kdb: read SID blacklist from LDAP 2013-02-12T09:37:47+00:00 Martin Kosek mkosek@redhat.com 2013-02-07T13:52:35+00:00 827ea50566dbb2a0906da76d318a2ba68a4b818e SIDs in incoming MS-PAC were checked and filtered with a fixed list of well-known SIDs. Allow reading the SID blacklist from LDAP (ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list to mspac adtrust structure. Use the hardcoded SID list only if the LDAP SID list is not configured. LIMITATION: SID blacklist list is not used yet. https://fedorahosted.org/freeipa/ticket/3289 
SIDs in incoming MS-PAC were checked and filtered with a fixed list of
well-known SIDs. Allow reading the SID blacklist from LDAP
(ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list
to mspac adtrust structure. Use the hardcoded SID list only if the LDAP
SID list is not configured.

LIMITATION: SID blacklist list is not used yet.

https://fedorahosted.org/freeipa/ticket/3289
Prevent integer overflow when setting krbPasswordExpiration 2013-02-08T14:54:21+00:00 Tomas Babej tbabej@redhat.com 2013-01-14T15:19:44+00:00 0e8a329048629f639ae64ff32e01e12a495e7763 Since in Kerberos V5 are used 32-bit unix timestamps, setting maxlife in pwpolicy to values such as 9999 days would cause integer overflow in krbPasswordExpiration attribute. This would result into unpredictable behaviour such as users not being able to log in after password expiration if password policy was changed (#3114) or new users not being able to log in at all (#3312). The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver. https://fedorahosted.org/freeipa/ticket/3312 https://fedorahosted.org/freeipa/ticket/3114 
Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.

This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).

The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver.

https://fedorahosted.org/freeipa/ticket/3312
https://fedorahosted.org/freeipa/ticket/3114
Make encode_ntlm_keys() public 2012-09-06T07:24:58+00:00 Sumit Bose sbose@redhat.com 2012-08-24T12:46:05+00:00 973aad9db3a2a5e4cdd9d0c300e9ae1a826c1b41 






Move code into common krb5 utils
2012-07-30T14:31:47+00:00

Simo Sorce
ssorce@redhat.com

2012-07-06T15:15:15+00:00

505bc85ec31ad8cfa66be0dc99d19599cd1a9497

This moves the decoding function that reads the keys from the ber format
into a structure in the common krb5 util code right below the function
that encodes the same data structure into a ber format.
This way the 2 functions are in the same place and can be both used by
all ia components.





This moves the decoding function that reads the keys from the ber format
into a structure in the common krb5 util code right below the function
that encodes the same data structure into a ber format.
This way the 2 functions are in the same place and can be both used by
all ia components.