summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-slapi-plugins/ipa-pwd-extop
Commit message (Collapse)AuthorAgeFilesLines
* Fix getkeytab code to always use implicit tagging.Simo Sorce2014-06-271-5/+5
| | | | | | | | | | | | | | A mixture of implicit and explicit tagging was being used and this caused a bug in retrieving the enctype number due to the way ber_scanf() loosely treat sequences and explicit tagging. The ASN.1 notation used to describe the getkeytab operation uses implicit tagging, so by changing the code we simply follow to the specified encoding. Resolves: https://fedorahosted.org/freeipa/ticket/4404 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* keytab: Add new extended operation to get a keytab.Simo Sorce2014-06-261-0/+571
| | | | | | | | | | | | | | | | | | | | | | | | | | | This new extended operation allow to create new keys or retrieve existing ones. The new set of keys is returned as a ASN.1 structure similar to the one that is passed in by the 'set keytab' extended operation. Access to the operation is regulated through a new special ACI that allows 'retrieval' only if the user has access to an attribute named ipaProtectedOperation postfixed by the subtypes 'read_keys' and 'write_keys' to distinguish between creation and retrieval operation. For example for allowing retrieval by a specific user the following ACI is set on cn=accounts: (targetattr="ipaProtectedOperation;read_keys") ... ... userattr=ipaAllowedToPerform;read_keys#USERDN) This ACI matches only if the service object hosts a new attribute named ipaAllowedToPerform that holds the DN of the user attempting the operation. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* keytabs: Expose and modify key encoding functionSimo Sorce2014-06-262-7/+19
| | | | | | | | | | | Make it available outside of the encoding.c file for use in a follow-up patch. Add option to not pass a password and generate a random key instead. Related: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* keytabs: Modularize setkeytab operationSimo Sorce2014-06-261-477/+611
| | | | | | | | | In preparation of adding another function to avoid code duplication. Related: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Change OTPSyncRequest structure to use OctetStringNathaniel McCallum2014-06-253-23/+22
| | | | | | | | This change has two motivations: 1. Clients don't have to parse the string. 2. Future token types may have new formats. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Revert "Check for password expiration in pre-bind"Martin Kosek2014-06-101-29/+4
| | | | | | | | | | | | | | | This reverts commit bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6. Forceful validation of password expiration date in a BIND pre-callback breaks LDAP password change extended operation as the password change is only allowed via authenticated (bound) channel. Passwords could be only changed via kadmin protocol. This change would thus break LDAP-only clients and Web UI password change hook. This patch will need to be revisited so that unauthenicated corner cases are also revisited. https://fedorahosted.org/freeipa/ticket/1539
* Check for password expiration in pre-bindSimo Sorce2014-06-091-4/+29
| | | | | | | | If the password is expired fail a password bind. Resolves: https://fedorahosted.org/freeipa/ticket/1539 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* ipa-pwd-extop: Deny LDAP binds for accounts with expired principalsTomas Babej2014-05-051-1/+34
| | | | | | | | | | | | | Adds a check for krbprincipalexpiration attribute to pre_bind operation in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is denied and LDAP_UNWILLING_TO_PERFORM along with the error message is sent back to the client. Since krbprincipalexpiration attribute is not mandatory, if there is no value set, the check is passed. https://fedorahosted.org/freeipa/ticket/3305 Reviewed-By: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-pwd-extop: Fix memory leak in ipapwd_pre_bindTomas Babej2014-04-081-0/+1
| | | | | | We need to free the entry before returning from the function. https://fedorahosted.org/freeipa/ticket/4295
* Teach ipa-pwd-extop to respect global ipaUserAuthType settingsNathaniel McCallum2014-02-217-406/+398
| | | | | | https://fedorahosted.org/freeipa/ticket/4105 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP sync support to ipa-pwd-extopNathaniel McCallum2014-02-219-970/+373
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* BUILD: Fix portability of NSS in file ipa_pwd.cLukas Slebodnik2014-01-281-0/+1
| | | | Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
* Harmonize policy discovery to kdb driverSimo Sorce2014-01-161-89/+17
| | | | | | | | | | | The KDB driver does not walk the tree back like the original password plugin. Also we do not store the default policy in the base DN as we used to do in the past anymore. So doing a full subtree search and walking back the tree is just a waste of time. Instead hardcode the default policy like we do in the kdb driver. Fixes: https://fedorahosted.org/freeipa/ticket/4085
* Remove CFLAGS duplication.Jan Cholasta2013-12-061-2/+1
| | | | https://fedorahosted.org/freeipa/ticket/3896
* Remove generation and handling of LM hashesSumit Bose2013-11-014-63/+19
| | | | https://fedorahosted.org/freeipa/ticket/3795
* Remove ipa-pwd-extop and ipa-enrollment duplicate error stringsMartin Kosek2013-10-301-8/+11
| | | | | | | Some error strings were duplicate which makes it then harder to see what is the real root cause of it. https://fedorahosted.org/freeipa/ticket/3988
* Administrative password change does not respect password policyMartin Kosek2013-10-171-15/+29
| | | | | | | | | When Directory Manager or a PassSync agent is changing a password, it is not being expired, but standard expiration time should apply. However, default expiration time was always applied (90 days) even though administrator may have a custom policy for the user. https://fedorahosted.org/freeipa/ticket/3968
* Use the right attribute with ipapwd_entry_checks for MagicRegenSumit Bose2013-10-081-1/+2
| | | | | | | | | | | | | There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos key is available for the corresponding user. This is typically triggered by samba via the ipa_sam passdb plugin. The principal used by samba to connect to the IPA directory server has the right to modify ipaNTHash but no other password attribute. This means that the current check on the userPassword attribute is too strict for this case and leads to a failure of the whole operation. With this patch the access right on ipaNTHash are checked if no other password operations are requested.
* Ensure credentials structure is initializedNathaniel McCallum2013-10-021-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3953
* Fix -Wformat-security warningsKrzysztof Klimonda2013-09-161-4/+4
|
* pwd-plugin: Fix ignored return errorSimo Sorce2013-08-281-3/+8
| | | | | | | | | CoverityID: 11904 Also remove 'inline', the compiler can do it on its own if needed. Fixes: https://fedorahosted.org/freeipa/ticket/3882
* Add OTP support to ipa-pwd-extopNathaniel McCallum2013-05-179-25/+1362
| | | | | | | | | During LDAP bind, this now plugin determines if a user is enabled for OTP authentication. If so, then the OTP is validated in addition to the password. This allows 2FA during user binds. https://fedorahosted.org/freeipa/ticket/3367 http://freeipa.org/page/V3/OTP
* Remove unnecessary prefixes from ipa-pwd-extop filesNathaniel McCallum2013-05-175-6/+6
|
* ipa-pwd-extop: do not use dn until it is really setSumit Bose2013-04-021-20/+20
| | | | https://fedorahosted.org/freeipa/ticket/3539
* Remove build warningsMartin Kosek2013-03-291-1/+1
| | | | | | Fix rpm build warnings report in Fedora 19 build. https://fedorahosted.org/freeipa/ticket/3500
* Use new 389-ds-base cleartext password APIMartin Kosek2013-03-131-8/+12
| | | | | | | | | | The way how unhashed password is stored in the entry was changed in 389-ds-base-1.3.0, it is now stored in an entry extension rather than in a magic attribute unhashed#user#password. New API using an entry extension was introduced. ipa-pwd-extop should take advantage of the new API as the old one will be removed in 389-ds-base-1.3.1. https://fedorahosted.org/freeipa/ticket/3439
* ipa-pwd: Unchecked return value ipapwd_chpwop()Sumit Bose2013-02-281-1/+5
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3427
* Password change in a transaction, ensure passwords are truly expiredRob Crittenden2012-12-073-4/+34
| | | | | | | | | | Wrap the password change extop in a transaction. Fix the case where a password is reset and then immediately used. If done fast enough then the KDC may not detect that the password is expired and grant access using the expired password rather than prompting for a reset. https://fedorahosted.org/freeipa/ticket/1064
* Enable transactions by default, make password and modrdn TXN-awareRob Crittenden2012-11-214-0/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046
* Make encode_ntlm_keys() publicSumit Bose2012-09-062-196/+14
|
* Don't generate password history error if history is set to 0.Rob Crittenden2012-08-271-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2805
* Add special modify op to regen ipaNTHashSimo Sorce2012-07-301-3/+143
| | | | | | The NT Hash is the same thing as the RC4-HMAC key, so we add a function to extract it from krb5 keys if they are available to avoid forcing a password change when configuring trust relationships.
* Improve loops around slapi modsSimo Sorce2012-07-301-68/+62
| | | | | Avoid the need to allocate/free a Slapi_Mod and avoid checking for attribute equvalence after a match (use if/else)
* Fix wrong check after allocation.Simo Sorce2012-07-071-1/+1
|
* Fix migration code password setting.Simo Sorce2012-05-171-0/+11
| | | | | | | | When we set a password we also need to make sure krbExtraData is set. If not kadmin will later complain that the object is corrupted at password change time. Ticket: https://fedorahosted.org/freeipa/ticket/2764
* Improve password change error messageMartin Kosek2012-02-032-3/+3
| | | | | | | | | | | User always receives the same error message if he changes his password via "ipa passwd" command and the new password fails configured password policy. He then has to investigate on his own the actual reason why was the policy violated. This patch improves our SLAPI PWD plugins to provide a better error message explaining the violation reason. https://fedorahosted.org/freeipa/ticket/2067
* Make pwd-extop aware of new ipaNTHash attributeSumit Bose2011-12-065-29/+89
|
* Fix CID 10745: Unchecked return valueSimo Sorce2011-11-071-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2036
* Fix CID 10743: Unchecked return valueSimo Sorce2011-11-071-2/+8
| | | | https://fedorahosted.org/freeipa/ticket/2036
* ipa-pwd-extop: allow password change on all connections with SSF>1Sumit Bose2011-10-051-13/+6
| | | | | | | Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection the global SSF is checked for password changes and enrollments. https://fedorahosted.org/freeipa/ticket/1877
* ipa-pwd-extop: Enforce old password checksSimo Sorce2011-09-211-1/+64
| | | | | | | If a user is changing his own password, then require the old password to be sent for validation purposes. https://fedorahosted.org/freeipa/ticket/1814
* ipa-pwd-extop: Fix segfault in password change.Simo Sorce2011-09-211-0/+7
| | | | | Do not pass an empty buffer to ber_init() as it will assert. Check before hand and return an error.
* Fix typosYuri Chornoivan2011-09-075-6/+6
| | | | | | Fix "The the" and "classses" in FreeIPA code and messages. https://fedorahosted.org/freeipa/ticket/1480
* ipa-pwd-extop: Allow kadmin to set krb keysSimo Sorce2011-08-262-48/+100
| | | | | | | Prevent the ipa-pwd-extop plugin from re-generating keys when kadimn is storing a new set of keys. Only generate the userPassword and sambaXXPassword hashes. Also avoid checking policies in this case and if history is provided avoid regenerating the passwordHistory too.
* ipa-pwd-extop: Use common password policy codeSimo Sorce2011-08-264-448/+127
|
* ipa-pwd-extop: make encsalt parsing function commonSimo Sorce2011-08-261-91/+20
| | | | It is going to be used by the ipa-kdb module too.
* ipa-pwd-extop: Move encoding in common tooSimo Sorce2011-08-264-202/+50
| | | | Also to be used by ipa-kdb
* ipa-pwd-extop: Move encryption of keys in commonSimo Sorce2011-08-261-202/+9
| | | | This way we can reuse the same code from ipa-kdb later
* ipa-pwd-extop: Use common krb5 structs from kdb.hSimo Sorce2011-08-264-19/+14
| | | | This removes custom structures and allows easier sharing of code with ipa-kdb
* ipa-pwd-extop: re-indent code using old styleSimo Sorce2011-08-261-30/+30
|
generated by cgit (git 2.34.1) at 2025-08-28 22:49:37 +0000