.git/daemons/ipa-kdb, branch master Unnamed repository; edit this file 'description' to name the repository. Add support to ipa-kdb for keyless principals 2014-02-19T09:15:36+00:00 Nathaniel McCallum nathaniel@themccallums.org 2013-11-12T15:52:51+00:00 b769d1c18678b5eede7505dec7938f6836070044 https://fedorahosted.org/freeipa/ticket/3779 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3779

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-kdb: validate that an OTP user has tokens 2014-02-14T15:03:24+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-02-06T15:56:46+00:00 fd55da9a27f76611b01c38c2741c13652d6a3e60 This handles the case where a user is configured for OTP in ipaUserAuthType, but the user has not yet created any tokens. Until the user creates tokens, the user should still be able to log in via password. This logic already exists in LDAP, but ipa-kdb needs to perform the same validation to know what data to return to the KDC. https://fedorahosted.org/freeipa/ticket/4154 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This handles the case where a user is configured for OTP in ipaUserAuthType,
but the user has not yet created any tokens. Until the user creates tokens,
the user should still be able to log in via password. This logic already
exists in LDAP, but ipa-kdb needs to perform the same validation to know
what data to return to the KDC.

https://fedorahosted.org/freeipa/ticket/4154

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
BUILD: Fix portability of NSS in file ipa_pwd.c 2014-01-28T15:35:34+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-01-28T15:35:34+00:00 a4faa2f444f42644e6565675999d0db360716db0 Tested-by: Timo Aaltonen <tjaalton@ubuntu.com> 
Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
Add krbticketPolicyAux objectclass if needed 2013-11-26T15:44:37+00:00 Simo Sorce simo@redhat.com 2013-11-26T15:41:31+00:00 a1165ffbb80446890e3757113c9682c8526ed666 When modifying ticket flags add the objectclass to the object if it is missing. https://fedorahosted.org/freeipa/ticket/3901 
When modifying ticket flags add the objectclass to the object if it is missing.

https://fedorahosted.org/freeipa/ticket/3901
ipa-kdb: Handle parent-child relationship for subdomains 2013-10-04T08:25:31+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-10-03T10:30:44+00:00 d228b1bd70aeebb19fbf64ee64bbd662eda19fc4 When MS-PAC information is re-initialized, record also parent-child relationship between trust root level domain and its subdomains. Use parent incoming SID black list to check if child domain is not allowed to access IPA realm. We also should really use 'cn' of the entry as domain name. ipaNTTrustPartner has different meaning on wire, it is an index pointing to the parent domain of the domain and will be 0 for top level domains or disjoint subdomains of the trust. Finally, trustdomain-enable and trustdomain-disable commands should force MS-PAC cache re-initalization in case of black list change. Trigger that by asking for cross-realm TGT for HTTP service. 
When MS-PAC information is re-initialized, record also parent-child
relationship between trust root level domain and its subdomains.

Use parent incoming SID black list to check if child domain is not
allowed to access IPA realm.

We also should really use 'cn' of the entry as domain name.
ipaNTTrustPartner has different meaning on wire, it is an index
pointing to the parent domain of the domain and will be 0 for top
level domains or disjoint subdomains of the trust.

Finally, trustdomain-enable and trustdomain-disable commands should
force MS-PAC cache re-initalization in case of black list change.
Trigger that by asking for cross-realm TGT for HTTP service.
KDC: implement transition check for trusted domains 2013-10-04T08:25:31+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-09-28T19:49:57+00:00 749111e6c2dfbb288c864a6cd2f5ac228f30bec1 When client principal requests for a ticket for a server principal and we have to perform transition, check that all three belong to either our domain or the domains we trust through forest trusts. In case all three realms (client, transition, and server) match trusted domains and our domain, issue permission to transition from client realm to server realm. Part of https://fedorahosted.org/freeipa/ticket/3909 
When client principal requests for a ticket for a server principal
and we have to perform transition, check that all three belong to either
our domain or the domains we trust through forest trusts.

In case all three realms (client, transition, and server) match
trusted domains and our domain, issue permission to transition from client
realm to server realm.

Part of https://fedorahosted.org/freeipa/ticket/3909
Add Delegation Info to MS-PAC 2013-09-13T16:03:53+00:00 Simo Sorce simo@redhat.com 2013-02-05T22:50:55+00:00 5157fd450fb33a7a3b68525a255d2976dbb0840a https://fedorahosted.org/freeipa/ticket/3442 
https://fedorahosted.org/freeipa/ticket/3442
kdb-princ: Fix memory leak 2013-08-28T10:42:56+00:00 Simo Sorce simo@redhat.com 2013-08-27T13:28:14+00:00 bea533c69a2b11e4a774144b8ee335e458333f7a If we do not store the keys in the entry we need to free the array before continuing or the data is leaked. CoverityID: 11910 Fixes: https://fedorahosted.org/freeipa/ticket/3884 
If we do not store the keys in the entry we need to free the array before
continuing or the data is leaked.

CoverityID: 11910

Fixes:
https://fedorahosted.org/freeipa/ticket/3884
kdb-mspac: Fix out of bounds memset 2013-08-28T10:42:56+00:00 Simo Sorce simo@redhat.com 2013-08-27T13:24:32+00:00 f96257397e8f1cb8a307e6ec0e48bd3570a16671 This memset was harmless as the following data is then set again, but an optimizing compiler might conceivably reorder instructions causing issues. CoverityID: 11909 Fixes: https://fedorahosted.org/freeipa/ticket/3883 
This memset was harmless as the following data is then set again, but an
optimizing compiler might conceivably reorder instructions causing issues.

CoverityID: 11909

Fixes:
https://fedorahosted.org/freeipa/ticket/3883
IPA KDB MS-PAC: remove unused variable 2013-07-23T13:25:26+00:00 Jakub Hrozek jhrozek@redhat.com 2013-07-23T13:07:52+00:00 4a5cbde4bbec552416c74a86a74bc38f3147941b