| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
| |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The get*_r_wrapper() calls expect a maximum buffer size to avoid memory
shortage if too many threads try to allocate buffers e.g. for large
groups. With this patch this size can be configured by setting
ipaExtdomMaxNssBufSize in the plugin config object
cn=ipa_extdom_extop,cn=plugins,cn=config.
Related to https://fedorahosted.org/freeipa/ticket/4908
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The getXXYYY_r() calls require a buffer to store the variable data of
the passwd and group structs. If the provided buffer is too small ERANGE
is returned and the caller can try with a larger buffer again.
Cmocka/cwrap based unit-tests for get*_r_wrapper() are added.
Resolves https://fedorahosted.org/freeipa/ticket/4908
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently the range check plugin will return a 'Range Check error'
message if a ldapmodify operation tries to change a non-existing object.
Since the range check plugin does not need to care about non-existing
objects we can just return 0 indicating that the range check plugin has
done its work.
Resolves https://fedorahosted.org/freeipa/ticket/4924
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
All FreeIPA original code should be licensed to GPL v3+ license,
update the respective files:
- daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c
Remove GPL v2.0 license files from LDIFs or template to keep
consistency.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch proposes a fix to the following defect found by covscan of FreeIPA
master code:
"""
Error: CHECKED_RETURN (CWE-252):
/daemons/ipa-slapi-plugins/libotp/otp_config.c:239: check_return: Calling
"slapi_search_internal_get_entry" without checking return value (as is done
elsewhere 14 out of 16 times).
/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:402:
example_checked: Example 1: "slapi_search_internal_get_entry(sdn, NULL,
&config_entry, ipaenrollment_plugin_id)" has its value checked in "(rc =
slapi_search_internal_get_entry(sdn, NULL, &config_entry,
ipaenrollment_plugin_id)) != 0".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:207: example_assign:
Example 2: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(sdn, NULL, &config_entry, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:212: example_checked:
Example 2 (cont.): "ret" has its value checked in "ret".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:651: example_assign: Example
3: Assigning: "search_result" = return value from
"slapi_search_internal_get_entry(sdn, attrlist, e2, ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:653: example_checked:
Example 3 (cont.): "search_result" has its value checked in "search_result !=
0". /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1035: example_assign:
Example 4: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(tmp_dn, NULL, &pwdop->pwdata.target,
ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1039:
example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:817: example_assign: Example 5:
Assigning: "ret" = return value from "slapi_search_internal_get_entry(tmp_dn,
NULL, &e, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:820: example_checked: Example 5
(cont.): "ret" has its value checked in "ret == 10".
"""
The patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is related to the following defect reported by covscan of FreeIPA
master code:
"""
Error: DEADCODE (CWE-561): /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:796:
cond_const: Condition "modtype != 1", taking false branch. Now the value of
"modtype" is equal to 1.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:796:
cond_const: Condition "modtype != 4", taking false branch. Now the value of
"modtype" is equal to 4.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:941:
equality_cond: Jumping to case "1".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:957: equality_cond: Jumping to
case "4".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:940: intervals: When
switching on "modtype", the value of "modtype" must be in one of the following
intervals: {[1,1], [4,4]}.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:940: dead_error_condition: The
switch value "modtype" cannot reach the default case.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:1031: dead_error_begin:
Execution cannot reach this statement: "default:".
"""
The patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is related to this defect reported by covscan in FreeIPA code:
"""
Error: MISSING_BREAK (CWE-484):
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:631: unterminated_case: The
case for value "2" is not terminated by a 'break' statement.
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:638: fallthrough: The above
case falls through to this one.
"""
Added a comment informing about intentional falltrough in this place, so that
future generations reading the code don't get confused.
The patch is the part of a series related to
https://fedorahosted.org/freeipa/ticket/4795
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the following defect reported by covscan:
"""
Error: CHECKED_RETURN (CWE-252):
/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c:119:
check_return: Calling "slapi_search_internal_get_entry" without checking
return value (as is done elsewhere 14 out of 16 times).
/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:402:
example_checked: Example 1: "slapi_search_internal_get_entry(sdn, NULL,
&config_entry, ipaenrollment_plugin_id)" has its value checked in "(rc =
slapi_search_internal_get_entry(sdn, NULL, &config_entry,
ipaenrollment_plugin_id)) != 0".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:207:
example_assign: Example 2: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(sdn, NULL, &config_entry, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:212:
example_checked: Example 2 (cont.): "ret" has its value checked in "ret".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:651:
example_assign: Example 3: Assigning: "search_result" = return value from
"slapi_search_internal_get_entry(sdn, attrlist, e2, ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:653:
example_checked: Example 3 (cont.): "search_result" has its value checked in
"search_result != 0".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1035:
example_assign: Example 4: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(tmp_dn, NULL, &pwdop->pwdata.target,
ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1039:
example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:817:
example_assign: Example 5: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(tmp_dn, NULL, &e, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:820:
example_checked: Example 5 (cont.): "ret" has its value checked in "ret ==
10".
"""
this patch is a part of a series related to
https://fedorahosted.org/freeipa/ticket/4795
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to MS-ADTS 6.3.3.2, "Domain Controller Response to an LDAP Ping",
if NETLOGON_NT_VERSION_5EX_WITH_IP is requested in NtVer, we should fill the
socket address of the server and set the NtVer of the response accordingly.
The behavior is a bit unclear from 6.3.3.2 but Samba expects LDAP ping to behave
the same way as a mailslot ping, described in 6.3.5, where socket address of the
server is included only if _WITH_IP variant was requested in NtVer. If NtVer
only contains NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket
address should not be filled in.
Additionally, this means we should use special variant of
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX helper named
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags to properly handle optional
existence of the socket address in the response.
https://fedorahosted.org/freeipa/ticket/4827
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This introduces two new CLI commands:
* otpconfig-show
* otpconfig-mod
https://fedorahosted.org/freeipa/ticket/4511
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Also, ensure that the last token check only executes on DNs/entries that
are tokens. This resolves a large performance issue where a query was
being performed to load all the user's tokens on every del/mod operation.
https://fedorahosted.org/freeipa/ticket/4697
https://fedorahosted.org/freeipa/ticket/4719
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
|
|
|
|
| |
This enables plugins to share authentication configuration cache code.
Additionally, update the caching mechanism to be declarative and faster.
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
|
|
|
|
| |
There are no major changes in this commit other than changing filenames
and symbols to have consistent namespaces. This prepares for larger
changes to come in subsequent commits.
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4713
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4713
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Replaces manual encoding with automatically generated code.
Fixes:
https://fedorahosted.org/freeipa/ticket/4718
https://fedorahosted.org/freeipa/ticket/4728
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The filtering was incorrect and would result in always discarding all values.
Also make sure there are no duplicates in the list.
Partial fix for:
https://fedorahosted.org/freeipa/ticket/4718
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.
This patch resolves CVE-2014-7828.
https://fedorahosted.org/freeipa/ticket/4690
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Also remove dead code and explicitly mark an ignored return value to prevent
false positives in static code analysis.
https://fedorahosted.org/freeipa/ticket/4651
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
| |
Fixes a wrong sizeof argument and unchecked return values.
https://fedorahosted.org/freeipa/ticket/4651
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4651
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This plugin ensures that all counter/watermark operations are atomic
and never decrement. Also, deletion is not permitted.
Because this plugin also ensures internal operations behave properly,
this also gives ipa-pwd-extop the appropriate behavior for OTP
authentication.
https://fedorahosted.org/freeipa/ticket/4493
https://fedorahosted.org/freeipa/ticket/4494
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
| |
This prevents synchronization when an authentication collision occurs.
https://fedorahosted.org/freeipa/ticket/4493
Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the extdom plugin is basically used to translate SIDs of AD
users and groups to names and POSIX IDs.
With this patch a new version is added which will return the full member
list for groups and the full list of group memberships for a user.
Additionally the gecos field, the home directory and the login shell of a
user are returned and an optional list of key-value pairs which
currently will contain the SID of the requested object if available.
https://fedorahosted.org/freeipa/ticket/4031
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This prevents the reuse of TOTP tokens by recording the last token
interval that was used. This will be replicated as normal. However,
this patch does not increase the number of writes to the database
in the standard authentication case. This is because it also
eliminates an unnecessary write during authentication. Hence, this
patch should be write-load neutral with the existing code.
Further performance enhancement is desired, but is outside the
scope of this patch.
https://fedorahosted.org/freeipa/ticket/4410
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
| |
Wrong error message would be used for in case of
RANGE_CHECK_DIFFERENT_TYPE_IN_DOMAIN. Missing break will cause fall through to
the default section.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A mixture of implicit and explicit tagging was being used and this caused
a bug in retrieving the enctype number due to the way ber_scanf() loosely
treat sequences and explicit tagging.
The ASN.1 notation used to describe the getkeytab operation uses implicit
tagging, so by changing the code we simply follow to the specified encoding.
Resolves: https://fedorahosted.org/freeipa/ticket/4404
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.
Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.
For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:
(targetattr="ipaProtectedOperation;read_keys") ...
... userattr=ipaAllowedToPerform;read_keys#USERDN)
This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.
Resolves:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Make it available outside of the encoding.c file for use in a follow-up
patch. Add option to not pass a password and generate a random key
instead.
Related:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
In preparation of adding another function to avoid code duplication.
Related:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
| |
|
|
|
|
|
|
| |
This change has two motivations:
1. Clients don't have to parse the string.
2. Future token types may have new formats.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6.
Forceful validation of password expiration date in a BIND pre-callback
breaks LDAP password change extended operation as the password change
is only allowed via authenticated (bound) channel. Passwords could be
only changed via kadmin protocol. This change would thus break
LDAP-only clients and Web UI password change hook.
This patch will need to be revisited so that unauthenicated corner
cases are also revisited.
https://fedorahosted.org/freeipa/ticket/1539
|
| |
|
|
|
|
|
|
| |
If the password is expired fail a password bind.
Resolves: https://fedorahosted.org/freeipa/ticket/1539
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a check for krbprincipalexpiration attribute to pre_bind operation
in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is
denied and LDAP_UNWILLING_TO_PERFORM along with the error message is
sent back to the client. Since krbprincipalexpiration attribute is not
mandatory, if there is no value set, the check is passed.
https://fedorahosted.org/freeipa/ticket/3305
Reviewed-By: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
range_check_result_t enum
Using integers for return values that are used for complex casing can be fragile
and typo-prone. Change range_check function to return range_check_result_t enum,
whose values properly describes each of the range_check results.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
When building the domain to forest root map, we need to take the case
of IPA server having no trusted domains configured at all. Do not abort
the checks, but return an empty map instead.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
struct
Not making a new copy of this attribute creates multiple frees caused by multiple
pointers to the same forest_root_id from all the range_info structs for all the
domains belonging to given forest.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The slapi_entry_attr_get_ulong which is used to get value of the RID base
attributes returns 0 in case the attribute is not set at all. We need
to distinguish this situation from the situation where RID base attributes
are present, but deliberately set to 0.
Otherwise this can cause false negative results of checks in the range_check
plugin.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ipa-range-check plugin used to determine the range type depending
on the value of the attributes such as RID or secondary RID base. This
approached caused variety of issues since the portfolio of ID range
types expanded.
The patch makes sure the following rules are implemented:
* No ID range pair can overlap on base ranges, with exception
of two ipa-ad-trust-posix ranges belonging to the same forest
* For any ID range pair of ranges belonging to the same domain:
* Both ID ranges must be of the same type
* For ranges of ipa-ad-trust type or ipa-local type:
* Primary RID ranges can not overlap
* For ranges of ipa-local type:
* Primary and secondary RID ranges can not overlap
* Secondary RID ranges cannot overlap
For the implementation part, the plugin was extended with a domain ID
to forest root domain ID mapping derivation capabilities.
https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
| |
When cleaning the range_info struct, simple free of the struct
is not enough, we have to free contents of char pointers in the
struct as well.
https://fedorahosted.org/freeipa/ticket/4276
|
