freeipa.git/daemons/ipa-otpd, branch mindatefix FreeIPA patches Migrate from #ifndef guards to #pragma once 2016-05-29T12:04:45+00:00 Nathaniel McCallum npmccallum@redhat.com 2016-05-24T14:18:43+00:00 4bafba06f2b8cc51cd95a725e1c8adf7bbf9a5fc Using a pragma instead of guards is easier to write, less error prone and avoids name clashes (a source of very subtle bugs). This pragma is supported on almost all compilers, including all the compilers we care about: https://en.wikipedia.org/wiki/Pragma_once#Portability. This patch does not change the autogenerated files: asn1/asn1c/*.h. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.

This patch does not change the autogenerated files: asn1/asn1c/*.h.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Ensure that ipa-otpd bind auths validate an OTP 2016-05-26T16:47:05+00:00 Nathaniel McCallum npmccallum@redhat.com 2016-05-12T19:10:47+00:00 168a6c7d4778a2a3c729e3ac24e4ad9dfacb46c0 Before this patch, if the user was configured for either OTP or password it was possible to do a 1FA authentication through ipa-otpd. Because this correctly respected the configuration, it is not a security error. However, once we begin to insert authentication indicators into the Kerberos tickets, we cannot allow 1FA authentications through this code path. Otherwise the ticket would contain a 2FA indicator when only 1FA was actually performed. To solve this problem, we have ipa-otpd send a critical control during the bind operation which informs the LDAP server that it *MUST* validate an OTP token for authentication to be successful. Next, we implement support for this control in the ipa-pwd-extop plugin. The end result is that the bind operation will always fail if the control is present and no OTP is validated. https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Sumit Bose <sbose@redhat.com> 
Before this patch, if the user was configured for either OTP or password
it was possible to do a 1FA authentication through ipa-otpd. Because this
correctly respected the configuration, it is not a security error.

However, once we begin to insert authentication indicators into the
Kerberos tickets, we cannot allow 1FA authentications through this
code path. Otherwise the ticket would contain a 2FA indicator when
only 1FA was actually performed.

To solve this problem, we have ipa-otpd send a critical control during
the bind operation which informs the LDAP server that it *MUST* validate
an OTP token for authentication to be successful. Next, we implement
support for this control in the ipa-pwd-extop plugin. The end result is
that the bind operation will always fail if the control is present and
no OTP is validated.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
Don't error when find_base() fails if a base is not required 2016-01-12T11:28:44+00:00 Nathaniel McCallum npmccallum@redhat.com 2015-12-14T15:12:26+00:00 563bddce6d0c3e31f4858edb25f1260af8cc3c44 We always have to call find_base() in order to force libldap to open the socket. However, if no base is actually required then there is no reason to error out if find_base() fails. This condition can arise when anonymous binds are disabled. Reviewed-By: Martin Basti <mbasti@redhat.com> 
We always have to call find_base() in order to force libldap to open
the socket. However, if no base is actually required then there is
no reason to error out if find_base() fails. This condition can arise
when anonymous binds are disabled.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Use six.Stringio instead of StringIO.StringIO 2015-10-07T08:27:20+00:00 Petr Viktorin pviktori@redhat.com 2015-09-14T12:52:48+00:00 65e3b9edc66d7dfe885df143c16a59588af8192f The StringIO class was moved to the io module. (In Python 2, io.StringIO is available, but is Unicode-only.) Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
The StringIO class was moved to the io module.
(In Python 2, io.StringIO is available, but is Unicode-only.)

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Move ipa-otpd socket directory 2014-02-11T16:36:19+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-02-07T16:56:33+00:00 6c500ccf05103566ca888bc8d67187ab81621328 https://fedorahosted.org/freeipa/ticket/4167 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4167
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Use /usr/bin/python2 2014-01-03T08:46:05+00:00 Xiao-Long Chen chenxiaolong@cxl.epac.to 2013-11-27T13:53:57+00:00 5e96fbc22afa02f08f71513e7b59d3d5c6a1f9dc Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com 
Part of the effort to port FreeIPA to Arch Linux,
where Python 3 is the default.

FreeIPA hasn't been ported to Python 3, so the code must be modified to
run /usr/bin/python2

https://fedorahosted.org/freeipa/ticket/3438

Updated by pviktori@redhat.com
Remove CFLAGS duplication. 2013-12-06T13:44:41+00:00 Jan Cholasta jcholast@redhat.com 2013-12-06T10:47:44+00:00 5e2f7b68f0cb8e7fd6ea4f3236e84f1a8d075a13 https://fedorahosted.org/freeipa/ticket/3896 
https://fedorahosted.org/freeipa/ticket/3896
Include LDFLAGS provided by rpmbuild in global LDFLAGS in the spec file. 2013-12-06T13:44:40+00:00 Jan Cholasta jcholast@redhat.com 2013-12-04T17:39:44+00:00 75dadc1d8ffc3ac84c4b1988c266ef60de1a6cfe Remove explicitly specified hardening flags from LDFLAGS in ipa-otpd. https://fedorahosted.org/freeipa/ticket/3896 
Remove explicitly specified hardening flags from LDFLAGS in ipa-otpd.

https://fedorahosted.org/freeipa/ticket/3896
Use hardening flags for ipa-optd. 2013-12-02T11:37:41+00:00 Jan Cholasta jcholast@redhat.com 2013-11-27T13:13:16+00:00 652c4e6ace7c4eae6ffb12093487c2d8180806f5 https://fedorahosted.org/freeipa/ticket/4010 
https://fedorahosted.org/freeipa/ticket/4010
Add the krb5/FreeIPA RADIUS companion daemon 2013-05-17T07:30:51+00:00 Nathaniel McCallum npmccallum@redhat.com 2013-04-11T18:03:25+00:00 203754691c28243dd3cf378e98390fc0a455b485 This daemon listens for RADIUS packets on a well known UNIX domain socket. When a packet is received, it queries LDAP to see if the user is configured for RADIUS authentication. If so, then the packet is forwarded to the 3rd party RADIUS server. Otherwise, a bind is attempted against the LDAP server. https://fedorahosted.org/freeipa/ticket/3366 http://freeipa.org/page/V3/OTP 
This daemon listens for RADIUS packets on a well known
UNIX domain socket. When a packet is received, it queries
LDAP to see if the user is configured for RADIUS authentication.
If so, then the packet is forwarded to the 3rd party RADIUS server.
Otherwise, a bind is attempted against the LDAP server.

https://fedorahosted.org/freeipa/ticket/3366
http://freeipa.org/page/V3/OTP