summaryrefslogtreecommitdiffstats
path: root/daemons
Commit message (Collapse)AuthorAgeFilesLines
* ipa-kdb: set krblastpwdchange only when keys have been effectively changedSimo Sorce2012-02-151-2/+4
|
* ipa-kdb: Avoid lookup on modify if possibleSimo Sorce2012-02-151-19/+27
| | | | This avoids one useless search if we already have the entry_dn.
* ipa-kdb: add AS auditing supportSimo Sorce2012-02-147-91/+254
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2334
* Improve password change error messageMartin Kosek2012-02-032-3/+3
| | | | | | | | | | | User always receives the same error message if he changes his password via "ipa passwd" command and the new password fails configured password policy. He then has to investigate on his own the actual reason why was the policy violated. This patch improves our SLAPI PWD plugins to provide a better error message explaining the violation reason. https://fedorahosted.org/freeipa/ticket/2067
* slapi-plugins: use thread-safe ldap librarySimo Sorce2012-01-131-1/+1
|
* Disable MS-PAC handling in 2.2Simo Sorce2012-01-124-14/+5
| | | | | | This removes the dependency on samba4-libs https://fedorahosted.org/freeipa/ticket/2244
* ipa-kdb: Create PAC's KDC checksum with right keySimo Sorce2012-01-111-2/+89
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2170
* ipa-kdb: Verify the correct checksum in PAC validationSimo Sorce2012-01-111-5/+45
| | | | | | | | | | | | | | | | | | This patch requires a forthcoming change in MIT libraries which allows to pass NULL for the server_key to the krb5_pac_verify() function. In most cases we should always only check the KDC checksum to verify the PAC validity. The only exception is when we are releasing a ticket to a client from another realm. In this case the only signature we can check is the server checksum, and we use the cross-realm key to validate in this case. The previous code was working for normal cases because the kdc uses the same key to create the server and the kdc checksum for a TGT, but that is not true for evidence tickets (s4u2proxy) or cross-realm TGTs. Fixes: https://fedorahosted.org/freeipa/ticket/2169
* Remove ipa_get_random_salt() from ipapwd_encoding.cRob Crittenden2012-01-111-30/+0
| | | | This appeared only in the 2.1 branch and is not needed
* Remove include for errno.h that was specific to 2.1 branchRob Crittenden2012-01-111-1/+0
| | | | https://fedorahosted.org/freeipa/ticket/2038
* ipa-kdb: return properly when no PAC is availableSimo Sorce2012-01-111-10/+3
|
* ipa-kdb: Add delgation access control supportSimo Sorce2012-01-115-1/+342
|
* ipa-kdb: enhance deref searchesSimo Sorce2012-01-113-13/+39
| | | | | Allow to deref more than one attribute. The attrs searched are the same for all deref attributes at this time.
* ipa-kdb: Fix copy and paste typoSimo Sorce2012-01-111-1/+1
|
* ipa-kdb: fix memleaks in ipa_kdb_mspac.cSimo Sorce2012-01-111-7/+8
|
* ipa-kdb: Remove unused CFLAGS/LIBS from MakefilesSimo Sorce2012-01-111-2/+0
|
* ipa-kdb: fix free() of uninitialized varSimo Sorce2012-01-111-0/+1
|
* ipa-kdb: Support re-signing PAC with different checksumSimo Sorce2012-01-111-2/+52
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2122
* MS-PAC: Add support for verifying PAC in TGS requestsSimo Sorce2012-01-111-7/+62
| | | | Fake code for now, to be rebased later
* Add support for generating PAC for AS requests for user principalsSimo Sorce2012-01-117-1/+905
|
* Fix CID 11027: Wrong sizeof argumentSimo Sorce2012-01-111-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11026: Resource leakSimo Sorce2012-01-111-1/+4
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11025: Resource leakSimo Sorce2012-01-111-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11024: Resource leakSimo Sorce2012-01-111-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11023: Resource leakSimo Sorce2012-01-111-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11022: Resource leakSimo Sorce2012-01-111-0/+7
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11020: Resource leakSimo Sorce2012-01-111-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 11019: Resource leakSimo Sorce2012-01-111-6/+7
| | | | https://fedorahosted.org/freeipa/ticket/2037
* Fix CID 10745: Unchecked return valueSimo Sorce2012-01-111-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2036
* Fix CID 10743: Unchecked return valueSimo Sorce2012-01-111-2/+8
| | | | https://fedorahosted.org/freeipa/ticket/2036
* Fix CID 10742: Unchecked return valueSimo Sorce2012-01-111-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2036
* ipa-kdb: Fix memory leakSimo Sorce2012-01-111-0/+1
|
* ipa-kdb: Fix legacy password hashes generationSimo Sorce2012-01-112-3/+2
| | | | | | | | | We were not searching for objectclass so the test to se if a user had the posixAccount attribute was failing and the user was not marked as ipa_user. This in turn caused us to not synchronize legacy hashes by not trying to store the userPassword attribute. Fixes: https://fedorahosted.org/freeipa/ticket/1820
* ipa-kdb: Fix expiration time calculationSimo Sorce2012-01-112-17/+18
| | | | | | | | | | | Expiration time should be enforced as per policy only for users and only when a password change occurs, ina ll other cases we should just let kadmin decide whther it is going to set a password expiration time or just leave it empty. In general service tickts have strong random passwords so they do not need a password policy or expiration at all. https://fedorahosted.org/freeipa/ticket/1839
* include <stdint.h> for uintptr_tMarko Myllynen2012-01-111-0/+1
|
* ipa-kdb: Properly set password expiration time.Simo Sorce2012-01-113-4/+74
| | | | | | | We do the policy check so we are the only one that can calculate the new pwd espiration time. Fixes: https://fedorahosted.org/freeipa/ticket/1793
* daemons: Remove ipa_kpasswdSimo Sorce2012-01-116-1568/+0
| | | | | | Now that we have our own database we can properly enforce stricter constraints on how the db can be changed. Stop shipping our own kpasswd daemon and instead use the regular kadmin daemon.
* ipa-kdb: Be flexibleSimo Sorce2012-01-111-2/+2
| | | | | | | Although the proper values for booleans from LDAP should be only uppercase, 389ds does allow wrong cased values without complaining. And we still have some places where the wrong case is used. Avoid getting frustrating errors when reading these values out.
* ipa-pwd-extop: Allow kadmin to set krb keysSimo Sorce2012-01-112-48/+100
| | | | | | | Prevent the ipa-pwd-extop plugin from re-generating keys when kadimn is storing a new set of keys. Only generate the userPassword and sambaXXPassword hashes. Also avoid checking policies in this case and if history is provided avoid regenerating the passwordHistory too.
* ipa-kdb: add password policy supportSimo Sorce2012-01-114-8/+347
| | | | Use default policy for new principals created by kadmin
* ipa-pwd-extop: Use common password policy codeSimo Sorce2012-01-114-448/+127
|
* ipa-kdb: implement change_pwd functionSimo Sorce2012-01-115-11/+116
|
* ipa-kdb: implement function to retrieve password policiesSimo Sorce2012-01-114-43/+209
|
* ipa-kdb: Get/Store Master Key directly from LDAPSimo Sorce2012-01-115-12/+264
|
* ipa-kdb: add functions to change principalsSimo Sorce2012-01-113-1/+804
|
* ipa-kdb: add function to iterate over principalsSimo Sorce2012-01-111-1/+41
|
* ipa-kdb: add functions to delete principalsSimo Sorce2012-01-111-1/+121
|
* ipa-kdb: add function to free principalsSimo Sorce2012-01-111-1/+16
|
* ipa-kdb: functions to get principalSimo Sorce2012-01-114-35/+884
|
* ipa-kdb: add common utility ldap wrapper functionsSimo Sorce2012-01-113-0/+464
|
generated by cgit (git 2.34.1) at 2024-05-19 20:20:42 +0000