freeipa.git/daemons/ipa-slapi-plugins/ipa-pwd-extop, branch kdc-fixes FreeIPA patches ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab 2015-07-07T23:56:52+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-06-05T15:31:32+00:00 a9570e8ea347c3e5cb4c1489e70828bd00077a22 When retrieving keytab, it is useful to know what user was attempting to fetch the keyts and failed. This is useful to debug one-way trust where SSSD forks out a process of ipa-getkeytab and it might be using a wrong credentials cache for authentication purposes. Part of https://fedorahosted.org/freeipa/ticket/4959 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
When retrieving keytab, it is useful to know what user was attempting
to fetch the keyts and failed. This is useful to debug one-way trust
where SSSD forks out a process of ipa-getkeytab and it might be using
a wrong credentials cache for authentication purposes.

Part of https://fedorahosted.org/freeipa/ticket/4959

Reviewed-By: Tomas Babej <tbabej@redhat.com>
User life cycle: new stageuser commands activate 2015-05-18T07:37:21+00:00 Thierry Bordaz tbordaz@redhat.com 2015-05-08T14:12:58+00:00 0ebcc5b9222efcd4b9814a2948f266abbf71fdfc Add plugin commands to stageuser plugin: stageuser_activate: activate entries created by IPA CLIs https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com> 
Add plugin commands to stageuser plugin:
stageuser_activate: activate entries created by IPA CLIs

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: David Kupka <dkupka@redhat.com>
fix Makefile.am for daemons 2015-03-26T13:58:37+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-03-18T17:09:06+00:00 704c79d91d58f87b80afe6e9331e8060116b5ec0 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Sumit Bose <sbose@redhat.com> 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
ipa-pwd-extop: added an informational comment about intentional fallthrough 2015-01-30T10:02:16+00:00 Martin Babinsky mbabinsk@redhat.com 2015-01-28T15:27:19+00:00 b0611bc6c36ea258addb6a07a464f5867bc489a7 This patch is related to this defect reported by covscan in FreeIPA code: """ Error: MISSING_BREAK (CWE-484): /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:631: unterminated_case: The case for value "2" is not terminated by a 'break' statement. /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:638: fallthrough: The above case falls through to this one. """ Added a comment informing about intentional falltrough in this place, so that future generations reading the code don't get confused. The patch is the part of a series related to https://fedorahosted.org/freeipa/ticket/4795 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This patch is related to this defect reported by covscan in FreeIPA code:

"""
Error: MISSING_BREAK (CWE-484):
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:631: unterminated_case: The
case for value "2" is not terminated by a 'break' statement.
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:638: fallthrough: The above
case falls through to this one.
"""

Added a comment informing about intentional falltrough in this place, so that
future generations reading the code don't get confused.

The patch is the part of a series related to
https://fedorahosted.org/freeipa/ticket/4795

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Make token auth and sync windows configurable 2014-12-05T12:42:19+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-11-11T19:41:42+00:00 9baa93da1cbf56c2a6f7e82e099bc3ff3f19e2e4 This introduces two new CLI commands: * otpconfig-show * otpconfig-mod https://fedorahosted.org/freeipa/ticket/4511 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
This introduces two new CLI commands:
  * otpconfig-show
  * otpconfig-mod

https://fedorahosted.org/freeipa/ticket/4511

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Move authentication configuration cache into libotp 2014-12-03T07:48:56+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-11-11T03:46:44+00:00 953c6846b7cb8d75253538ab92a1360fceee0c3c This enables plugins to share authentication configuration cache code. Additionally, update the caching mechanism to be declarative and faster. Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> 
This enables plugins to share authentication configuration cache code.

Additionally, update the caching mechanism to be declarative and faster.

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Preliminary refactoring of libotp files 2014-12-03T07:48:56+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-11-11T01:58:20+00:00 bdccb0c721283f17a48423ab562ab5515ecd7f8e There are no major changes in this commit other than changing filenames and symbols to have consistent namespaces. This prepares for larger changes to come in subsequent commits. Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> 
There are no major changes in this commit other than changing filenames
and symbols to have consistent namespaces. This prepares for larger
changes to come in subsequent commits.

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Use asn1c helpers to encode/decode the getkeytab control 2014-11-20T15:52:13+00:00 Simo Sorce simo@redhat.com 2014-11-17T20:19:57+00:00 b1a30bff04fe9763b8b270590ec37084fd19b4e0 Replaces manual encoding with automatically generated code. Fixes: https://fedorahosted.org/freeipa/ticket/4718 https://fedorahosted.org/freeipa/ticket/4728 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
Replaces manual encoding with automatically generated code.

Fixes:
https://fedorahosted.org/freeipa/ticket/4718
https://fedorahosted.org/freeipa/ticket/4728

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Fix filtering of enctypes in server code. 2014-11-20T15:52:13+00:00 Simo Sorce simo@redhat.com 2014-11-18T02:05:56+00:00 b170851058d6712442d553ef3d11ecd21b282443 The filtering was incorrect and would result in always discarding all values. Also make sure there are no duplicates in the list. Partial fix for: https://fedorahosted.org/freeipa/ticket/4718 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
The filtering was incorrect and would result in always discarding all values.
Also make sure there are no duplicates in the list.

Partial fix for:
https://fedorahosted.org/freeipa/ticket/4718

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Ensure that a password exists after OTP validation 2014-11-06T09:56:19+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-11-05T18:50:41+00:00 79df668b5df59813ffbb6192eecfb687bccbc0eb Before this patch users could log in using only the OTP value. This arose because ipapwd_authentication() successfully determined that an empty password was invalid, but 389 itself would see this as an anonymous bind. An anonymous bind would never even get this far in this code, so we simply deny requests with empty passwords. This patch resolves CVE-2014-7828. https://fedorahosted.org/freeipa/ticket/4690 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.

This patch resolves CVE-2014-7828.

https://fedorahosted.org/freeipa/ticket/4690

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>