freeipa.git/daemons/ipa-kdb, branch mindatefix FreeIPA patches kdb: check for local realm in enterprise principals 2016-07-12T10:26:28+00:00 Sumit Bose sbose@redhat.com 2016-07-06T15:29:37+00:00 6d6da6b281173737bd31ba4845af11a097846c05 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Allow unexpiring passwords 2016-07-01T09:22:02+00:00 David Kupka dkupka@redhat.com 2016-06-30T06:52:33+00:00 d2cb9ed327ee4003598d5e45d80ab7918b89eeed Treat maxlife=0 in password policy as "never expire". Delete krbPasswordExpiration in user entry when password should never expire. https://fedorahosted.org/freeipa/ticket/2795 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.

https://fedorahosted.org/freeipa/ticket/2795

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
ipa-kdb: set krbCanonicalName when creating new principals 2016-06-23T07:48:06+00:00 Martin Babinsky mbabinsk@redhat.com 2015-09-08T15:36:47+00:00 7ed7a86511ec516c2f785968050f5d0a42978ba5 Additionally, stop setting ipakrbprincipalalias attribute during principal creation. Part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Additionally, stop setting ipakrbprincipalalias attribute during principal
creation.

Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
perform case-insensitive principal search when canonicalization is requested 2016-06-23T07:48:06+00:00 Martin Babinsky mbabinsk@redhat.com 2015-09-08T14:45:23+00:00 e43231456d8de954423582dbee439e330573d04b When canonicalization is requested, the krbprincipalname attribute is searched for case-insensitively. In the case that krbcanonicalname is not set, the matched alias is returned with the casing stored in backend, not the one input by client. Part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
When canonicalization is requested, the krbprincipalname attribute is searched
for case-insensitively.

In the case that krbcanonicalname is not set, the matched alias is returned
with the casing stored in backend, not the one input by client.

Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
adtrust: support UPNs for trusted domain users 2016-06-11T15:25:50+00:00 Alexander Bokovoy abokovoy@redhat.com 2016-06-06T08:41:46+00:00 bb75f5a5836ea011b8920f8bb8d58c1f4cd9b4c8 Add support for additional user name principal suffixes from trusted Active Directory forests. UPN suffixes are property of the forest and as such are associated with the forest root domain. FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued attribute of ipaNTTrustedDomain object class. In order to look up UPN suffixes, netr_DsRGetForestTrustInformation LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. For more details on UPN and naming in Active Directory see https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx https://fedorahosted.org/freeipa/ticket/5354 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.

FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.

In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.

For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx

https://fedorahosted.org/freeipa/ticket/5354

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Migrate from #ifndef guards to #pragma once 2016-05-29T12:04:45+00:00 Nathaniel McCallum npmccallum@redhat.com 2016-05-24T14:18:43+00:00 4bafba06f2b8cc51cd95a725e1c8adf7bbf9a5fc Using a pragma instead of guards is easier to write, less error prone and avoids name clashes (a source of very subtle bugs). This pragma is supported on almost all compilers, including all the compilers we care about: https://en.wikipedia.org/wiki/Pragma_once#Portability. This patch does not change the autogenerated files: asn1/asn1c/*.h. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.

This patch does not change the autogenerated files: asn1/asn1c/*.h.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Enable authentication indicators for OTP and RADIUS 2016-05-26T16:47:05+00:00 Nathaniel McCallum npmccallum@redhat.com 2016-02-22T00:44:19+00:00 8f356a4305a9aa74aacae36806d6e8ed1b765245 If the user is configured for OTP or RADIUS authentication, insert the relevant authentication indicator. https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Sumit Bose <sbose@redhat.com> 
If the user is configured for OTP or RADIUS authentication, insert the
relevant authentication indicator.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
Return password-only preauth if passwords are allowed 2016-05-26T16:47:05+00:00 Nathaniel McCallum npmccallum@redhat.com 2016-02-22T00:43:52+00:00 204200d73bb135cb7b9b31b8f1ba5268d73094a5 Before this patch, if either password or password+otp were permitted, only the otp preauth mech would be returned to the client. Now, the client will receive either enc_ts or enc_chl in addition to otp. https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Sumit Bose <sbose@redhat.com> 
Before this patch, if either password or password+otp were permitted,
only the otp preauth mech would be returned to the client. Now, the
client will receive either enc_ts or enc_chl in addition to otp.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
ipa_kdb: add krbPrincipalAuthInd handling 2016-05-02T17:15:45+00:00 Matt Rogers mrogers@redhat.com 2016-03-25T21:01:40+00:00 8a2afcafee977675fc289acab50cc808b469a2b3 Store and retrieve the authentication indicator "require_auth" string in the krbPrincipalAuthInd attribute. Skip storing auth indicators to krbExtraData. https://fedorahosted.org/freeipa/ticket/5782 Reviewed-By: Sumit Bose <sbose@redhat.com> 
Store and retrieve the authentication indicator "require_auth" string in
the krbPrincipalAuthInd attribute. Skip storing auth indicators to
krbExtraData.

https://fedorahosted.org/freeipa/ticket/5782

Reviewed-By: Sumit Bose <sbose@redhat.com>
Allow to specify Kerberos authz data type per user 2016-03-09T18:00:43+00:00 Simo Sorce simo@redhat.com 2015-11-24T23:01:52+00:00 7a20fc671b07344b0ee8460bef07398cb3ffaf59 Like for services setting the ipaKrbAuthzData attribute on a user object will allow us to control exactly what authz data is allowed for that user. Setting NONE would allow no authz data, while setting MS-PAC would allow only Active Directory compatible data. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/2579 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/2579
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>