summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-slapi-plugins/ipa-pwd-extop
Commit message (Collapse)AuthorAgeFilesLines
* Allow unexpiring passwordsDavid Kupka2016-07-012-10/+16
| | | | | | | | | | Treat maxlife=0 in password policy as "never expire". Delete krbPasswordExpiration in user entry when password should never expire. https://fedorahosted.org/freeipa/ticket/2795 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* ipapwd_extop should use TARGET_DN defined by a pre-extop pluginThierry Bordaz2016-06-241-8/+28
| | | | | | | | | | | | | | ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry. If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value of TARGET_DN, instead of using the original one (in the ber req) There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955) https://fedorahosted.org/freeipa/ticket/5946 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Migrate from #ifndef guards to #pragma onceNathaniel McCallum2016-05-291-5/+1
| | | | | | | | | | | | Using a pragma instead of guards is easier to write, less error prone and avoids name clashes (a source of very subtle bugs). This pragma is supported on almost all compilers, including all the compilers we care about: https://en.wikipedia.org/wiki/Pragma_once#Portability. This patch does not change the autogenerated files: asn1/asn1c/*.h. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Ensure that ipa-otpd bind auths validate an OTPNathaniel McCallum2016-05-262-5/+11
| | | | | | | | | | | | | | | | | | | | | | Before this patch, if the user was configured for either OTP or password it was possible to do a 1FA authentication through ipa-otpd. Because this correctly respected the configuration, it is not a security error. However, once we begin to insert authentication indicators into the Kerberos tickets, we cannot allow 1FA authentications through this code path. Otherwise the ticket would contain a 2FA indicator when only 1FA was actually performed. To solve this problem, we have ipa-otpd send a critical control during the bind operation which informs the LDAP server that it *MUST* validate an OTP token for authentication to be successful. Next, we implement support for this control in the ipa-pwd-extop plugin. The end result is that the bind operation will always fail if the control is present and no OTP is validated. https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Sumit Bose <sbose@redhat.com>
* Rename syncreq.[ch] to otpctrl.[ch]Nathaniel McCallum2016-05-264-13/+13
| | | | | | | | | | | | This gives us a place to handle all OTP related controls. Also, genericize otpctrl_present() so that the OID can be specified as an argument to the function call. These changes are preparatory for the subsequent patches. https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Sumit Bose <sbose@redhat.com>
* Improve keytab code to select the right principal.Simo Sorce2016-02-014-9/+20
| | | | | | | | | | | | Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD compatibility), however since we added alias support we need to search for the krbCanonicalName in preference, hen nothing is specified, and for the requested principal name when a getkeytab operation is performed. This is so that the correct salt can be applied. (Windows AD uses some peculiar aliases for some special accounts to generate the salt). Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Use only AES enctypes by defaultSimo Sorce2016-01-131-11/+3
| | | | | | | | | | | | Remove des3 and arcfour from the defaults for new installs. NOTE: the ipasam/dcerpc code sill uses arcfour Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/4740 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-pwd-extop: expand error message to tell what user is not allowed to ↵Alexander Bokovoy2015-07-081-2/+2
| | | | | | | | | | | | | fetch keytab When retrieving keytab, it is useful to know what user was attempting to fetch the keyts and failed. This is useful to debug one-way trust where SSSD forks out a process of ipa-getkeytab and it might be using a wrong credentials cache for authentication purposes. Part of https://fedorahosted.org/freeipa/ticket/4959 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* User life cycle: new stageuser commands activateThierry Bordaz2015-05-181-0/+48
| | | | | | | | | Add plugin commands to stageuser plugin: stageuser_activate: activate entries created by IPA CLIs https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com>
* fix Makefile.am for daemonsAlexander Bokovoy2015-03-261-1/+0
| | | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Sumit Bose <sbose@redhat.com>
* ipa-pwd-extop: added an informational comment about intentional fallthroughMartin Babinsky2015-01-301-0/+2
| | | | | | | | | | | | | | | | | | | | This patch is related to this defect reported by covscan in FreeIPA code: """ Error: MISSING_BREAK (CWE-484): /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:631: unterminated_case: The case for value "2" is not terminated by a 'break' statement. /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:638: fallthrough: The above case falls through to this one. """ Added a comment informing about intentional falltrough in this place, so that future generations reading the code don't get confused. The patch is the part of a series related to https://fedorahosted.org/freeipa/ticket/4795 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Make token auth and sync windows configurableNathaniel McCallum2014-12-052-55/+26
| | | | | | | | | | | This introduces two new CLI commands: * otpconfig-show * otpconfig-mod https://fedorahosted.org/freeipa/ticket/4511 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Move authentication configuration cache into libotpNathaniel McCallum2014-12-037-413/+29
| | | | | | | | This enables plugins to share authentication configuration cache code. Additionally, update the caching mechanism to be declarative and faster. Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Preliminary refactoring of libotp filesNathaniel McCallum2014-12-034-14/+12
| | | | | | | | There are no major changes in this commit other than changing filenames and symbols to have consistent namespaces. This prepares for larger changes to come in subsequent commits. Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Use asn1c helpers to encode/decode the getkeytab controlSimo Sorce2014-11-202-197/+51
| | | | | | | | | | | Replaces manual encoding with automatically generated code. Fixes: https://fedorahosted.org/freeipa/ticket/4718 https://fedorahosted.org/freeipa/ticket/4728 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Fix filtering of enctypes in server code.Simo Sorce2014-11-201-17/+43
| | | | | | | | | | | The filtering was incorrect and would result in always discarding all values. Also make sure there are no duplicates in the list. Partial fix for: https://fedorahosted.org/freeipa/ticket/4718 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Ensure that a password exists after OTP validationNathaniel McCallum2014-11-061-12/+14
| | | | | | | | | | | | | | Before this patch users could log in using only the OTP value. This arose because ipapwd_authentication() successfully determined that an empty password was invalid, but 389 itself would see this as an anonymous bind. An anonymous bind would never even get this far in this code, so we simply deny requests with empty passwords. This patch resolves CVE-2014-7828. https://fedorahosted.org/freeipa/ticket/4690 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix memory leak in ipa-pwd-extopJan Cholasta2014-11-052-3/+2
| | | | | | | | | Also remove dead code and explicitly mark an ignored return value to prevent false positives in static code analysis. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix getkeytab code to always use implicit tagging.Simo Sorce2014-06-271-5/+5
| | | | | | | | | | | | | | A mixture of implicit and explicit tagging was being used and this caused a bug in retrieving the enctype number due to the way ber_scanf() loosely treat sequences and explicit tagging. The ASN.1 notation used to describe the getkeytab operation uses implicit tagging, so by changing the code we simply follow to the specified encoding. Resolves: https://fedorahosted.org/freeipa/ticket/4404 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* keytab: Add new extended operation to get a keytab.Simo Sorce2014-06-261-0/+571
| | | | | | | | | | | | | | | | | | | | | | | | | | | This new extended operation allow to create new keys or retrieve existing ones. The new set of keys is returned as a ASN.1 structure similar to the one that is passed in by the 'set keytab' extended operation. Access to the operation is regulated through a new special ACI that allows 'retrieval' only if the user has access to an attribute named ipaProtectedOperation postfixed by the subtypes 'read_keys' and 'write_keys' to distinguish between creation and retrieval operation. For example for allowing retrieval by a specific user the following ACI is set on cn=accounts: (targetattr="ipaProtectedOperation;read_keys") ... ... userattr=ipaAllowedToPerform;read_keys#USERDN) This ACI matches only if the service object hosts a new attribute named ipaAllowedToPerform that holds the DN of the user attempting the operation. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* keytabs: Expose and modify key encoding functionSimo Sorce2014-06-262-7/+19
| | | | | | | | | | | Make it available outside of the encoding.c file for use in a follow-up patch. Add option to not pass a password and generate a random key instead. Related: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* keytabs: Modularize setkeytab operationSimo Sorce2014-06-261-477/+611
| | | | | | | | | In preparation of adding another function to avoid code duplication. Related: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Change OTPSyncRequest structure to use OctetStringNathaniel McCallum2014-06-253-23/+22
| | | | | | | | This change has two motivations: 1. Clients don't have to parse the string. 2. Future token types may have new formats. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Revert "Check for password expiration in pre-bind"Martin Kosek2014-06-101-29/+4
| | | | | | | | | | | | | | | This reverts commit bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6. Forceful validation of password expiration date in a BIND pre-callback breaks LDAP password change extended operation as the password change is only allowed via authenticated (bound) channel. Passwords could be only changed via kadmin protocol. This change would thus break LDAP-only clients and Web UI password change hook. This patch will need to be revisited so that unauthenicated corner cases are also revisited. https://fedorahosted.org/freeipa/ticket/1539
* Check for password expiration in pre-bindSimo Sorce2014-06-091-4/+29
| | | | | | | | If the password is expired fail a password bind. Resolves: https://fedorahosted.org/freeipa/ticket/1539 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* ipa-pwd-extop: Deny LDAP binds for accounts with expired principalsTomas Babej2014-05-051-1/+34
| | | | | | | | | | | | | Adds a check for krbprincipalexpiration attribute to pre_bind operation in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is denied and LDAP_UNWILLING_TO_PERFORM along with the error message is sent back to the client. Since krbprincipalexpiration attribute is not mandatory, if there is no value set, the check is passed. https://fedorahosted.org/freeipa/ticket/3305 Reviewed-By: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-pwd-extop: Fix memory leak in ipapwd_pre_bindTomas Babej2014-04-081-0/+1
| | | | | | We need to free the entry before returning from the function. https://fedorahosted.org/freeipa/ticket/4295
* Teach ipa-pwd-extop to respect global ipaUserAuthType settingsNathaniel McCallum2014-02-217-406/+398
| | | | | | https://fedorahosted.org/freeipa/ticket/4105 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP sync support to ipa-pwd-extopNathaniel McCallum2014-02-219-970/+373
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* BUILD: Fix portability of NSS in file ipa_pwd.cLukas Slebodnik2014-01-281-0/+1
| | | | Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
* Harmonize policy discovery to kdb driverSimo Sorce2014-01-161-89/+17
| | | | | | | | | | | The KDB driver does not walk the tree back like the original password plugin. Also we do not store the default policy in the base DN as we used to do in the past anymore. So doing a full subtree search and walking back the tree is just a waste of time. Instead hardcode the default policy like we do in the kdb driver. Fixes: https://fedorahosted.org/freeipa/ticket/4085
* Remove CFLAGS duplication.Jan Cholasta2013-12-061-2/+1
| | | | https://fedorahosted.org/freeipa/ticket/3896
* Remove generation and handling of LM hashesSumit Bose2013-11-014-63/+19
| | | | https://fedorahosted.org/freeipa/ticket/3795
* Remove ipa-pwd-extop and ipa-enrollment duplicate error stringsMartin Kosek2013-10-301-8/+11
| | | | | | | Some error strings were duplicate which makes it then harder to see what is the real root cause of it. https://fedorahosted.org/freeipa/ticket/3988
* Administrative password change does not respect password policyMartin Kosek2013-10-171-15/+29
| | | | | | | | | When Directory Manager or a PassSync agent is changing a password, it is not being expired, but standard expiration time should apply. However, default expiration time was always applied (90 days) even though administrator may have a custom policy for the user. https://fedorahosted.org/freeipa/ticket/3968
* Use the right attribute with ipapwd_entry_checks for MagicRegenSumit Bose2013-10-081-1/+2
| | | | | | | | | | | | | There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos key is available for the corresponding user. This is typically triggered by samba via the ipa_sam passdb plugin. The principal used by samba to connect to the IPA directory server has the right to modify ipaNTHash but no other password attribute. This means that the current check on the userPassword attribute is too strict for this case and leads to a failure of the whole operation. With this patch the access right on ipaNTHash are checked if no other password operations are requested.
* Ensure credentials structure is initializedNathaniel McCallum2013-10-021-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3953
* Fix -Wformat-security warningsKrzysztof Klimonda2013-09-161-4/+4
|
* pwd-plugin: Fix ignored return errorSimo Sorce2013-08-281-3/+8
| | | | | | | | | CoverityID: 11904 Also remove 'inline', the compiler can do it on its own if needed. Fixes: https://fedorahosted.org/freeipa/ticket/3882
* Add OTP support to ipa-pwd-extopNathaniel McCallum2013-05-179-25/+1362
| | | | | | | | | During LDAP bind, this now plugin determines if a user is enabled for OTP authentication. If so, then the OTP is validated in addition to the password. This allows 2FA during user binds. https://fedorahosted.org/freeipa/ticket/3367 http://freeipa.org/page/V3/OTP
* Remove unnecessary prefixes from ipa-pwd-extop filesNathaniel McCallum2013-05-175-6/+6
|
* ipa-pwd-extop: do not use dn until it is really setSumit Bose2013-04-021-20/+20
| | | | https://fedorahosted.org/freeipa/ticket/3539
* Remove build warningsMartin Kosek2013-03-291-1/+1
| | | | | | Fix rpm build warnings report in Fedora 19 build. https://fedorahosted.org/freeipa/ticket/3500
* Use new 389-ds-base cleartext password APIMartin Kosek2013-03-131-8/+12
| | | | | | | | | | The way how unhashed password is stored in the entry was changed in 389-ds-base-1.3.0, it is now stored in an entry extension rather than in a magic attribute unhashed#user#password. New API using an entry extension was introduced. ipa-pwd-extop should take advantage of the new API as the old one will be removed in 389-ds-base-1.3.1. https://fedorahosted.org/freeipa/ticket/3439
* ipa-pwd: Unchecked return value ipapwd_chpwop()Sumit Bose2013-02-281-1/+5
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3427
* Password change in a transaction, ensure passwords are truly expiredRob Crittenden2012-12-073-4/+34
| | | | | | | | | | Wrap the password change extop in a transaction. Fix the case where a password is reset and then immediately used. If done fast enough then the KDC may not detect that the password is expired and grant access using the expired password rather than prompting for a reset. https://fedorahosted.org/freeipa/ticket/1064
* Enable transactions by default, make password and modrdn TXN-awareRob Crittenden2012-11-214-0/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046
* Make encode_ntlm_keys() publicSumit Bose2012-09-062-196/+14
|
* Don't generate password history error if history is set to 0.Rob Crittenden2012-08-271-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2805
* Add special modify op to regen ipaNTHashSimo Sorce2012-07-301-3/+143
| | | | | | The NT Hash is the same thing as the RC4-HMAC key, so we add a function to extract it from krb5 keys if they are available to avoid forcing a password change when configuring trust relationships.
generated by cgit (git 2.34.1) at 2025-09-02 20:17:11 +0000