freeipa.git/daemons/ipa-kdb, branch cakeysfix FreeIPA patches Fix s4u2self with adtrust 2017-04-12T07:46:43+00:00 Simo Sorce simo@redhat.com 2017-04-10T19:32:54+00:00 e88d5e815ea440bcef4acdc5f8fcb3a29e6eaec9 When ADtrust is installed we add a PAC to all tickets, during protocol transition we need to generate a new PAC for the requested user ticket, not check the existing PAC on the requestor ticket. https://pagure.io/freeipa/issue/6862 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
When ADtrust is installed we add a PAC to all tickets, during protocol
transition we need to generate a new PAC for the requested user ticket,
not check the existing PAC on the requestor ticket.

https://pagure.io/freeipa/issue/6862

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
IPA-KDB: use relative path in ipa-certmap config snippet 2017-04-05T07:30:41+00:00 Sumit Bose sbose@redhat.com 2017-03-29T13:46:50+00:00 6c2772dde52c84024d32533b29e6cbd04c69924a Architecture specific paths should be avoided in the global Kerberos configuration because it is read e.g. by 32bit and 64bit libraries they are installed in parallel. Resolves https://pagure.io/freeipa/issue/6833 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Architecture specific paths should be avoided in the global Kerberos
configuration because it is read e.g. by 32bit and 64bit libraries they
are installed in parallel.

Resolves https://pagure.io/freeipa/issue/6833

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa-kdb: do not depend on certauth_plugin.h 2017-03-27T15:57:28+00:00 Sumit Bose sbose@redhat.com 2017-03-27T11:19:57+00:00 0ba0c0781367d8e2d4affca29e3cf5ab93c4c33a Related to https://pagure.io/freeipa/issue/4905 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Christian Heimes <cheimes@redhat.com>
IPA certauth plugin 2017-03-27T07:52:57+00:00 Sumit Bose sbose@redhat.com 2017-02-02T11:32:13+00:00 c4156041feb9c48598427ad59e43313b9c7327bb This patch add a certauth plugin which allows the IPA server to support PKINIT for certificates which do not include a special SAN extension which contains a Kerberos principal but allow other mappings with the help of SSSD's certmap library. Related to https://pagure.io/freeipa/issue/4905 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
This patch add a certauth plugin which allows the IPA server to support
PKINIT for certificates which do not include a special SAN extension
which contains a Kerberos principal but allow other mappings with the
help of SSSD's certmap library.

Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
ipa-kdb: add ipadb_fetch_principals_with_extra_filter() 2017-03-27T07:52:57+00:00 Sumit Bose sbose@redhat.com 2017-02-15T11:09:20+00:00 da880decfedc66f9d0d2734dcb86c23a8866f603 Additionally make ipadb_find_principal public. Related to https://pagure.io/freeipa/issue/4905 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
Additionally make ipadb_find_principal public.

Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Add support for searching policies in cn=accounts 2017-03-10T08:17:28+00:00 Simo Sorce simo@redhat.com 2016-12-16T12:13:58+00:00 2e5cc369fd8b9d780697a9a286429cc2ca0f448a Use the new multibase search to collect policies from multiple subtrees. The 'any' parameter is set to 'true' so the search stop when the first result is found in any of the bases. https://fedorahosted.org/freeipa/ticket/6568 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Use the new multibase search to collect policies from multiple subtrees.
The 'any' parameter is set to 'true' so the search stop when the first result
is found in any of the bases.

https://fedorahosted.org/freeipa/ticket/6568

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add code to retrieve results from multiple bases 2017-03-10T08:17:28+00:00 Simo Sorce simo@redhat.com 2016-12-16T12:12:45+00:00 9f13b330aaec468a018472dce5fc77131277de94 Internally performs multiple seraches as needed based on the basedn strings passed in and whether the caller indicated that any result is ok or all results are needed. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Internally performs multiple seraches as needed based on the basedn
strings passed in and whether the caller indicated that any result is ok
or all results are needed.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ipa-kdb: support KDB DAL version 6.1 2017-02-15T13:24:05+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-01-24T09:02:30+00:00 593ea7da9a732647052cb56c08ad367e40be3912 DAL version 6.0 removed support for a callback to free principal. This broke KDB drivers which had complex e_data structure within the principal structure. As result, FreeIPA KDB driver was leaking memory with DAL version 6.0 (krb5 1.15). DAL version 6.1 added a special callback for freeing e_data structure. See details at krb5/krb5#596 Restructure KDB driver code to provide this callback in case we are built against DAL version that supports it. For DAL version prior to 6.0 use this callback in the free_principal callback to tidy the code. Use explicit KDB version dependency in Fedora 26+ via BuildRequires. With new DAL version, freeipa package will fail to build and we'll have to add a support for new DAL version explicitly. https://fedorahosted.org/freeipa/ticket/6619 Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

Use explicit KDB version dependency in Fedora 26+ via BuildRequires.

With new DAL version, freeipa package will fail to build and
we'll have to add a support for new DAL version explicitly.

https://fedorahosted.org/freeipa/ticket/6619

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Clean / ignore make check artefact 2017-01-18T08:19:15+00:00 Christian Heimes cheimes@redhat.com 2017-01-09T10:23:32+00:00 d8343a96dd206c9f25cf032a50f3b48fb8166db1 In tree runs of make check leave some artifacts around. The patch adds them to make clean and .gitignore. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
In tree runs of make check leave some artifacts around. The patch adds
them to make clean and .gitignore.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-kdb: search for password policies globally 2016-12-15T16:32:33+00:00 Alexander Bokovoy abokovoy@redhat.com 2016-12-15T14:30:00+00:00 73f33569c8893610e246b2f44a7aeaec872b37e6 With the CoS templates now used to create additional password policies per object type that are placed under the object subtrees, DAL driver needs to search for the policies in the whole tree. Individual policies referenced by the krbPwdPolicyReference attribute are always searched by their full DN and with the base scope. However, when KDC asks a DAL driver to return a password policy by name, we don't have any specific base to search. The original code did search by the realm subtree. Fixes https://fedorahosted.org/freeipa/ticket/6561 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
With the CoS templates now used to create additional password policies
per object type that are placed under the object subtrees, DAL driver
needs to search for the policies in the whole tree.

Individual policies referenced by the krbPwdPolicyReference attribute
are always searched by their full DN and with the base scope. However,
when KDC asks a DAL driver to return a password policy by name, we don't
have any specific base to search. The original code did search by the
realm subtree.

Fixes https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>