freeipa.git/daemons/ipa-kdb, branch ipa-2-2 FreeIPA patches Add support for disabling KDC writes 2012-06-07T02:11:41+00:00 Simo Sorce ssorce@redhat.com 2012-05-23T16:35:44+00:00 97e362681ff9c81d76b6b015467309f90e301bce Add two global ipaConfig options to disable undesirable writes that have performance impact. The "KDC:Disable Last Success" will disable writing back to ldap the last successful AS Request time (successful kinit) The "KDC:Disable Lockout" will disable completely writing back lockout related data. This means lockout policies will stop working. https://fedorahosted.org/freeipa/ticket/2734 
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734
Check for locked-out user before incrementing lastfail. 2012-05-18T07:03:35+00:00 Rob Crittenden rcritten@redhat.com 2012-05-17T17:17:21+00:00 608d297cb9f19b80587514b7a7cfa3b686ecf3e7 If a user become locked due to too many failed logins and then were unlocked by an administrator, the account would not lock again. This was caused by two things: - We were incrementing the fail counter before checking to see if the account was already locked out. - The current fail count wasn't taken into consideration when deciding if the account is locked. The sequence was this: 1. Unlocked account, set failcount to 0 2. Failed login, increment failcount 3. Within lastfailed + lockout_duration, still locked. This skips update the last_failed date. So I reversed 2 and 3 and check to see if the fail count exceeds policy. https://fedorahosted.org/freeipa/ticket/2765 
If a user become locked due to too many failed logins and then were
unlocked by an administrator, the account would not lock again. This
was caused by two things:

 - We were incrementing the fail counter before checking to see if the
   account was already locked out.
 - The current fail count wasn't taken into consideration when
   deciding if the account is locked.

The sequence was this:

1. Unlocked account, set failcount to 0
2. Failed login, increment failcount
3. Within lastfailed + lockout_duration, still locked. This skips
   update the last_failed date.

So I reversed 2 and 3 and check to see if the fail count exceeds policy.

https://fedorahosted.org/freeipa/ticket/2765
Fix failure count interval attribute name in query for password policy. 2012-03-29T04:52:33+00:00 Rob Crittenden rcritten@redhat.com 2012-03-29T21:40:11+00:00 27ae10df9fab03aef72dd79eb0e67b02021f8982 This was causing the failure count interval to not be applied so the failure count was never reset to 0. https://fedorahosted.org/freeipa/ticket/2540 
This was causing the failure count interval to not be applied so
the failure count was never reset to 0.

https://fedorahosted.org/freeipa/ticket/2540
Fix memleak and silence Coverity defects 2012-03-22T16:33:24+00:00 Simo Sorce ssorce@redhat.com 2012-03-20T13:47:52+00:00 5ffa1c70acf22dab1fea5d89474d91ec7df25068 Some of these are not real defects, because we are guaranteed to have valid context in some functions, and checks are not necessary. I added the checks anyway in order to silence Coverity on these issues. One meleak on error condition was fixed in daemons/ipa-kdb/ipa_kdb_pwdpolicy.c Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is actually fine as we count before hand so we never actually use the wrong value that is computed on the last pass when p == 0 Fixes: https://fedorahosted.org/freeipa/ticket/2488 
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.

One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c

Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0

Fixes: https://fedorahosted.org/freeipa/ticket/2488
ipa-kdb: fix delegation acl check 2012-02-28T18:03:42+00:00 Simo Sorce ssorce@redhat.com 2012-02-28T15:47:18+00:00 fd54775b3e7dc0439dcc11a0cf6bbecb45eb19d4 We need to check for a matching acl only if one match hasn't already been found, otherwise results are unpredictable and order dependent. 
We need to check for a matching acl only if one match hasn't already been
found, otherwise results are unpredictable and order dependent.
policy: add function to check lockout policy 2012-02-20T01:43:58+00:00 Simo Sorce ssorce@redhat.com 2012-02-17T16:45:56+00:00 9fbe19adb43a758d91042289ea1c69114469e663 Fixes: https://fedorahosted.org/freeipa/ticket/2393 
Fixes: https://fedorahosted.org/freeipa/ticket/2393
ipa-kdb: Fix ACL evaluator 2012-02-20T09:54:56+00:00 Simo Sorce ssorce@redhat.com 2012-02-17T23:19:01+00:00 cb3e0ae755efefb094fe5f7985905372c4291686 Fixes: https://fedorahosted.org/freeipa/ticket/2343 
Fixes: https://fedorahosted.org/freeipa/ticket/2343
ipa-kdb: set krblastpwdchange only when keys have been effectively changed 2012-02-15T09:51:25+00:00 Simo Sorce ssorce@redhat.com 2012-02-14T03:43:15+00:00 c8cdb75e9bf72f9ef48eab2544c27d4303ef56c2 






ipa-kdb: Avoid lookup on modify if possible
2012-02-15T09:51:08+00:00

Simo Sorce
ssorce@redhat.com

2012-02-14T03:21:17+00:00

ebba5d94f482b359b87ee200d0dc669ed83136c5

This avoids one useless search if we already have the entry_dn.





This avoids one useless search if we already have the entry_dn.







ipa-kdb: add AS auditing support
2012-02-14T23:04:22+00:00

Simo Sorce
ssorce@redhat.com

2012-02-13T17:15:07+00:00

5a087e65e24090ee35153ca183206b2d97748c3a

Fixes: https://fedorahosted.org/freeipa/ticket/2334





Fixes: https://fedorahosted.org/freeipa/ticket/2334