freeipa.git/daemons/ipa-slapi-plugins/ipa-pwd-extop, branch mindatefix FreeIPA patches Simplify date manipulation in pwd plugin 2016-07-20T10:08:05+00:00 Simo Sorce simo@redhat.com 2016-07-19T11:43:50+00:00 fec7ed2d2d7d8352d1a6a9cf5607476c9fd5d65f Use a helper function to perform operations on dates in LDAP attributes. Related to #2795 Signed-off-by: Simo Sorce <simo@redhat.com> 
Use a helper function to perform operations on dates in LDAP attributes.

Related to #2795

Signed-off-by: Simo Sorce <simo@redhat.com>
Allow unexpiring passwords 2016-07-01T09:22:02+00:00 David Kupka dkupka@redhat.com 2016-06-30T06:52:33+00:00 d2cb9ed327ee4003598d5e45d80ab7918b89eeed Treat maxlife=0 in password policy as "never expire". Delete krbPasswordExpiration in user entry when password should never expire. https://fedorahosted.org/freeipa/ticket/2795 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.

https://fedorahosted.org/freeipa/ticket/2795

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
ipapwd_extop should use TARGET_DN defined by a pre-extop plugin 2016-06-24T12:51:15+00:00 Thierry Bordaz tbordaz@redhat.com 2016-06-10T13:34:40+00:00 1ce8d32fd6c09b0bfcb1593e2e5ad8e47eef3670 ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry. If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value of TARGET_DN, instead of using the original one (in the ber req) There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955) https://fedorahosted.org/freeipa/ticket/5946 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
ipapwd_extop allows to update the password on a specific entry, identified by its DN.
It can be usefull to support virtual DN in the extop so that update of a virtual entry
would land into the proper real entry.

If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value
of TARGET_DN, instead of using the original one (in the ber req)
There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955)

https://fedorahosted.org/freeipa/ticket/5946

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Migrate from #ifndef guards to #pragma once 2016-05-29T12:04:45+00:00 Nathaniel McCallum npmccallum@redhat.com 2016-05-24T14:18:43+00:00 4bafba06f2b8cc51cd95a725e1c8adf7bbf9a5fc Using a pragma instead of guards is easier to write, less error prone and avoids name clashes (a source of very subtle bugs). This pragma is supported on almost all compilers, including all the compilers we care about: https://en.wikipedia.org/wiki/Pragma_once#Portability. This patch does not change the autogenerated files: asn1/asn1c/*.h. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.

This patch does not change the autogenerated files: asn1/asn1c/*.h.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Ensure that ipa-otpd bind auths validate an OTP 2016-05-26T16:47:05+00:00 Nathaniel McCallum npmccallum@redhat.com 2016-05-12T19:10:47+00:00 168a6c7d4778a2a3c729e3ac24e4ad9dfacb46c0 Before this patch, if the user was configured for either OTP or password it was possible to do a 1FA authentication through ipa-otpd. Because this correctly respected the configuration, it is not a security error. However, once we begin to insert authentication indicators into the Kerberos tickets, we cannot allow 1FA authentications through this code path. Otherwise the ticket would contain a 2FA indicator when only 1FA was actually performed. To solve this problem, we have ipa-otpd send a critical control during the bind operation which informs the LDAP server that it *MUST* validate an OTP token for authentication to be successful. Next, we implement support for this control in the ipa-pwd-extop plugin. The end result is that the bind operation will always fail if the control is present and no OTP is validated. https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Sumit Bose <sbose@redhat.com> 
Before this patch, if the user was configured for either OTP or password
it was possible to do a 1FA authentication through ipa-otpd. Because this
correctly respected the configuration, it is not a security error.

However, once we begin to insert authentication indicators into the
Kerberos tickets, we cannot allow 1FA authentications through this
code path. Otherwise the ticket would contain a 2FA indicator when
only 1FA was actually performed.

To solve this problem, we have ipa-otpd send a critical control during
the bind operation which informs the LDAP server that it *MUST* validate
an OTP token for authentication to be successful. Next, we implement
support for this control in the ipa-pwd-extop plugin. The end result is
that the bind operation will always fail if the control is present and
no OTP is validated.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
Rename syncreq.[ch] to otpctrl.[ch] 2016-05-26T16:47:05+00:00 Nathaniel McCallum npmccallum@redhat.com 2016-05-12T18:57:29+00:00 cd9bc84240c99ed744e5ee44db18d925a5292ffd This gives us a place to handle all OTP related controls. Also, genericize otpctrl_present() so that the OID can be specified as an argument to the function call. These changes are preparatory for the subsequent patches. https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Sumit Bose <sbose@redhat.com> 
This gives us a place to handle all OTP related controls. Also,
genericize otpctrl_present() so that the OID can be specified as an
argument to the function call.

These changes are preparatory for the subsequent patches.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
Improve keytab code to select the right principal. 2016-02-01T12:28:39+00:00 Simo Sorce simo@redhat.com 2015-12-02T20:20:42+00:00 e011b376a5d071492bf3adfae26e4d61e2face07 Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD compatibility), however since we added alias support we need to search for the krbCanonicalName in preference, hen nothing is specified, and for the requested principal name when a getkeytab operation is performed. This is so that the correct salt can be applied. (Windows AD uses some peculiar aliases for some special accounts to generate the salt). Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD
compatibility), however since we added alias support we need to search for the
krbCanonicalName in preference, hen nothing is specified, and for the requested
principal name when a getkeytab operation is performed. This is so that the
correct salt can be applied. (Windows AD uses some peculiar aliases for some
special accounts to generate the salt).

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use only AES enctypes by default 2016-01-13T14:24:53+00:00 Simo Sorce simo@redhat.com 2015-11-23T18:40:42+00:00 58ab032f1ae20454d4b9d760c7601fd8b44045f5 Remove des3 and arcfour from the defaults for new installs. NOTE: the ipasam/dcerpc code sill uses arcfour Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/4740 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Remove des3 and arcfour from the defaults for new installs.

NOTE: the ipasam/dcerpc code sill uses arcfour

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/4740
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab 2015-07-07T23:56:52+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-06-05T15:31:32+00:00 a9570e8ea347c3e5cb4c1489e70828bd00077a22 When retrieving keytab, it is useful to know what user was attempting to fetch the keyts and failed. This is useful to debug one-way trust where SSSD forks out a process of ipa-getkeytab and it might be using a wrong credentials cache for authentication purposes. Part of https://fedorahosted.org/freeipa/ticket/4959 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
When retrieving keytab, it is useful to know what user was attempting
to fetch the keyts and failed. This is useful to debug one-way trust
where SSSD forks out a process of ipa-getkeytab and it might be using
a wrong credentials cache for authentication purposes.

Part of https://fedorahosted.org/freeipa/ticket/4959

Reviewed-By: Tomas Babej <tbabej@redhat.com>
User life cycle: new stageuser commands activate 2015-05-18T07:37:21+00:00 Thierry Bordaz tbordaz@redhat.com 2015-05-08T14:12:58+00:00 0ebcc5b9222efcd4b9814a2948f266abbf71fdfc Add plugin commands to stageuser plugin: stageuser_activate: activate entries created by IPA CLIs https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com> 
Add plugin commands to stageuser plugin:
stageuser_activate: activate entries created by IPA CLIs

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: David Kupka <dkupka@redhat.com>