freeipa.git/daemons/ipa-kdb, branch ccachesess FreeIPA patches ipa-kdb: support KDB DAL version 6.1 2017-02-15T13:24:05+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-01-24T09:02:30+00:00 593ea7da9a732647052cb56c08ad367e40be3912 DAL version 6.0 removed support for a callback to free principal. This broke KDB drivers which had complex e_data structure within the principal structure. As result, FreeIPA KDB driver was leaking memory with DAL version 6.0 (krb5 1.15). DAL version 6.1 added a special callback for freeing e_data structure. See details at krb5/krb5#596 Restructure KDB driver code to provide this callback in case we are built against DAL version that supports it. For DAL version prior to 6.0 use this callback in the free_principal callback to tidy the code. Use explicit KDB version dependency in Fedora 26+ via BuildRequires. With new DAL version, freeipa package will fail to build and we'll have to add a support for new DAL version explicitly. https://fedorahosted.org/freeipa/ticket/6619 Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

Use explicit KDB version dependency in Fedora 26+ via BuildRequires.

With new DAL version, freeipa package will fail to build and
we'll have to add a support for new DAL version explicitly.

https://fedorahosted.org/freeipa/ticket/6619

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Clean / ignore make check artefact 2017-01-18T08:19:15+00:00 Christian Heimes cheimes@redhat.com 2017-01-09T10:23:32+00:00 d8343a96dd206c9f25cf032a50f3b48fb8166db1 In tree runs of make check leave some artifacts around. The patch adds them to make clean and .gitignore. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
In tree runs of make check leave some artifacts around. The patch adds
them to make clean and .gitignore.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-kdb: search for password policies globally 2016-12-15T16:32:33+00:00 Alexander Bokovoy abokovoy@redhat.com 2016-12-15T14:30:00+00:00 73f33569c8893610e246b2f44a7aeaec872b37e6 With the CoS templates now used to create additional password policies per object type that are placed under the object subtrees, DAL driver needs to search for the policies in the whole tree. Individual policies referenced by the krbPwdPolicyReference attribute are always searched by their full DN and with the base scope. However, when KDC asks a DAL driver to return a password policy by name, we don't have any specific base to search. The original code did search by the realm subtree. Fixes https://fedorahosted.org/freeipa/ticket/6561 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
With the CoS templates now used to create additional password policies
per object type that are placed under the object subtrees, DAL driver
needs to search for the policies in the whole tree.

Individual policies referenced by the krbPwdPolicyReference attribute
are always searched by their full DN and with the base scope. However,
when KDC asks a DAL driver to return a password policy by name, we don't
have any specific base to search. The original code did search by the
realm subtree.

Fixes https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Build: remove incorrect use of MAINTAINERCLEANFILES 2016-11-16T08:12:07+00:00 Petr Spacek pspacek@redhat.com 2016-11-11T13:37:18+00:00 d5683726d290b71eb44ab3b3150381f062e74df1 Automake manual section 13 What Gets Cleaned says that make maintainer-clean should not remove files necessary for subsequent runs of ./configure. It practically means that all usage of MAINTAINERCLEANFILES were incorrect so I've removed them. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Automake manual section 13 What Gets Cleaned says that make maintainer-clean
should not remove files necessary for subsequent runs of ./configure.

It practically means that all usage of MAINTAINERCLEANFILES were incorrect
so I've removed them.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Support DAL version 5 and version 6 2016-11-10T12:25:51+00:00 Simo Sorce simo@redhat.com 2016-11-01T19:13:14+00:00 2775042787be4ea236c0b99dd75337414e24b89d https://fedorahosted.org/freeipa/ticket/6466 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
https://fedorahosted.org/freeipa/ticket/6466

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Build: fix distribution of daemon/ipa-kdb files 2016-11-09T12:08:32+00:00 Petr Spacek pspacek@redhat.com 2016-11-02T16:39:41+00:00 125bf25577e58d11252cb41d34065d49f581e0ac https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Build: fix Makefile.am files to separate source and build directories 2016-11-09T12:08:32+00:00 Petr Spacek pspacek@redhat.com 2016-10-31T11:33:43+00:00 24feae47f26f40f757fbdd711399128d88c9b62c This is step forward working VPATH builds which cleanly separate sources and build artifacts. It makes the system cleaner and easier to understand. Python and web UI likely require more work to make VPATH builds working. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
This is step forward working VPATH builds which cleanly separate sources
and build artifacts. It makes the system cleaner and easier to
understand.

Python and web UI likely require more work to make VPATH builds working.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Build: transform util directory to libutil convenience library 2016-10-24T11:30:12+00:00 Petr Spacek pspacek@redhat.com 2016-10-11T13:41:46+00:00 b0cb6afa2308b9d96456f0355771ecbef0ca7263 This is autoconf way of doing things. It should allow us to enable subdir-objects automake option and stay compatible with future versions of automake. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
This is autoconf way of doing things. It should allow us to enable
subdir-objects automake option and stay compatible with future versions
of automake.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Build: adjust include paths in daemons/ipa-kdb/tests/ipa_kdb_tests.c 2016-10-24T11:30:12+00:00 Petr Spacek pspacek@redhat.com 2016-10-12T15:15:16+00:00 41da8732051c193166fa69cd9bc1152d39ad8720 Fix include paths to prevent breakage when we move configure.ac from daemons to the top-level. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Fix include paths to prevent breakage when we move configure.ac from
daemons to the top-level.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-kdb: simplify trusted domain parent search 2016-08-22T12:03:00+00:00 Alexander Bokovoy abokovoy@redhat.com 2016-08-07T18:42:14+00:00 a14ebbea895a20f5a68052e32ba65c4fd7fdf670 In terms of cross-forest trust parent domain is the root domain of the forest because we only have trust established with the forest root. In FreeIPA LDAP store all sub-domains stored in cn=<forest root>, cn=ad,cn=trusts,... subtree. Thus, a first RDN after cn=ad is the forest root domain. This allows us to simplify logic of finding the parent domain. For complex hierachical forests with more than two levels of sub-domains, this will still be true because of the forest trust: as forest trust is established to the forest root domain, any communication to any sub-domain must traverse forest root domain's domain controller. Note that SSSD also generated incorrectly CA paths information for forests with non-hierarchical tree-roots. In such cases IPA KDC got confused and mistakenly assumed direct trust to the non-hierarchical tree-root instead of going through the forest root domain. See https://fedorahosted.org/sssd/ticket/3103 for details. Resolves: https://fedorahosted.org/freeipa/ticket/5738 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
In terms of cross-forest trust parent domain is the root domain of
the forest because we only have trust established with the forest root.

In FreeIPA LDAP store all sub-domains stored in cn=<forest root>,
cn=ad,cn=trusts,... subtree. Thus, a first RDN after cn=ad is the
forest root domain. This allows us to simplify logic of finding
the parent domain.

For complex hierachical forests with more than two levels of
sub-domains, this will still be true because of the forest trust:
as forest trust is established to the forest root domain, any
communication to any sub-domain must traverse forest root domain's
domain controller.

Note that SSSD also generated incorrectly CA paths information
for forests with non-hierarchical tree-roots. In such cases
IPA KDC got confused and mistakenly assumed direct trust to the
non-hierarchical tree-root instead of going through the forest
root domain. See https://fedorahosted.org/sssd/ticket/3103 for
details.

Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>