freeipa.git/daemons/ipa-slapi-plugins/ipa-pwd-extop, branch getkeytab FreeIPA patches keytab: Add new extended operation to get a keytab. 2014-06-09T18:49:42+00:00 Simo Sorce simo@redhat.com 2013-09-17T04:30:14+00:00 aa785cf1ce101382c2adbc4a3c70361d1e7a27e0 This new extended operation allow to create new keys or retrieve existing ones. The new set of keys is returned as a ASN.1 structure similar to the one that is passed in by the 'set keytab' extended operation. Access to the operation is regulated through a new special ACI that allows 'retrieval' only if the user has access to an attribute named ipaProtectedOperation postfixed by the subtypes 'read_keys' and 'write_keys' to distinguish between creation and retrieval operation. For example for allowing retrieval by a specific user the following ACI is set on cn=accounts: (targetattr="ipaProtectedOperation;read_keys") ... ... userattr=ipaAllowedToPerform;read_keys#USERDN) This ACI matches only if the service object hosts a new attribute named ipaAllowedToPerform that holds the DN of the user attempting the operation. Resolves: https://fedorahosted.org/freeipa/ticket/3859 
This new extended operation allow to create new keys or retrieve
existing ones.
The new set of keys is returned as a ASN.1 structure similar to the one
that is passed in by the 'set keytab' extended operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute
named ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859
keytabs: Expose and modify key encoding function 2014-06-09T18:35:00+00:00 Simo Sorce simo@redhat.com 2013-09-17T04:28:32+00:00 f440e927d8a66a3dd2e6505825e671052f66ae3e Make it available outside of the encoding.c file for use in a follow-up patch. Add option to not pass a password and generate a random key instead. Related: https://fedorahosted.org/freeipa/ticket/3859 
Make it available outside of the encoding.c file for use in a follow-up
patch.
Add option to not pass a password and generate a random key instead.

Related:
https://fedorahosted.org/freeipa/ticket/3859
keytabs: Modularize setkeytab operation 2014-06-09T18:34:58+00:00 Simo Sorce simo@redhat.com 2013-09-17T04:25:14+00:00 7589c3144c7680ce0761c969a21869098d367dbd In preparation of adding another function to avoid code duplication. Related: https://fedorahosted.org/freeipa/ticket/3859 
In preparation of adding another function to avoid code duplication.

Related:
https://fedorahosted.org/freeipa/ticket/3859
Check for password expiration in pre-bind 2014-06-09T06:18:16+00:00 Simo Sorce simo@redhat.com 2013-05-09T18:25:14+00:00 bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6 If the password is expired fail a password bind. Resolves: https://fedorahosted.org/freeipa/ticket/1539 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
If the password is expired fail a password bind.

Resolves: https://fedorahosted.org/freeipa/ticket/1539
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
ipa-pwd-extop: Deny LDAP binds for accounts with expired principals 2014-05-05T15:50:01+00:00 Tomas Babej tbabej@redhat.com 2014-04-01T10:41:16+00:00 5d78cdf80951748f5f954a69c41a2a2cb1b84812 Adds a check for krbprincipalexpiration attribute to pre_bind operation in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is denied and LDAP_UNWILLING_TO_PERFORM along with the error message is sent back to the client. Since krbprincipalexpiration attribute is not mandatory, if there is no value set, the check is passed. https://fedorahosted.org/freeipa/ticket/3305 Reviewed-By: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Adds a check for krbprincipalexpiration attribute to pre_bind operation
in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is
denied and LDAP_UNWILLING_TO_PERFORM along with the error message is
sent back to the client. Since krbprincipalexpiration attribute is not
mandatory, if there is no value set, the check is passed.

https://fedorahosted.org/freeipa/ticket/3305

Reviewed-By: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-pwd-extop: Fix memory leak in ipapwd_pre_bind 2014-04-08T12:23:18+00:00 Tomas Babej tbabej@redhat.com 2014-04-01T10:48:57+00:00 5a0d52b9393a2a4f154aca617855cba3f83e989b We need to free the entry before returning from the function. https://fedorahosted.org/freeipa/ticket/4295 
We need to free the entry before returning from the function.

https://fedorahosted.org/freeipa/ticket/4295
Teach ipa-pwd-extop to respect global ipaUserAuthType settings 2014-02-21T09:26:02+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-01-31T20:16:35+00:00 9f62d0c15795ca9fca0c64a8b4bd1b09540b47f1 https://fedorahosted.org/freeipa/ticket/4105 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4105

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add OTP sync support to ipa-pwd-extop 2014-02-21T09:26:02+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-01-28T22:09:58+00:00 a51b07c27566ecf059cca96551028d8cbe5078d3 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
BUILD: Fix portability of NSS in file ipa_pwd.c 2014-01-28T15:35:34+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-01-28T15:35:34+00:00 a4faa2f444f42644e6565675999d0db360716db0 Tested-by: Timo Aaltonen <tjaalton@ubuntu.com> 
Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
Harmonize policy discovery to kdb driver 2014-01-16T08:00:35+00:00 Simo Sorce simo@redhat.com 2014-01-14T15:09:37+00:00 d0ed25c8cbff54528133f6b78133ee8307b3faff The KDB driver does not walk the tree back like the original password plugin. Also we do not store the default policy in the base DN as we used to do in the past anymore. So doing a full subtree search and walking back the tree is just a waste of time. Instead hardcode the default policy like we do in the kdb driver. Fixes: https://fedorahosted.org/freeipa/ticket/4085 
The KDB driver does not walk the tree back like the original password plugin.
Also we do not store the default policy in the base DN as we used to do in the
past anymore.
So doing a full subtree search and walking back the tree is just a waste of
time.
Instead hardcode the default policy like we do in the kdb driver.

Fixes: https://fedorahosted.org/freeipa/ticket/4085