freeipa.git/daemons/ipa-slapi-plugins, branch mindatefix FreeIPA patches Simplify date manipulation in pwd plugin 2016-07-20T10:08:05+00:00 Simo Sorce simo@redhat.com 2016-07-19T11:43:50+00:00 fec7ed2d2d7d8352d1a6a9cf5607476c9fd5d65f Use a helper function to perform operations on dates in LDAP attributes. Related to #2795 Signed-off-by: Simo Sorce <simo@redhat.com> 
Use a helper function to perform operations on dates in LDAP attributes.

Related to #2795

Signed-off-by: Simo Sorce <simo@redhat.com>
Allow unexpiring passwords 2016-07-01T09:22:02+00:00 David Kupka dkupka@redhat.com 2016-06-30T06:52:33+00:00 d2cb9ed327ee4003598d5e45d80ab7918b89eeed Treat maxlife=0 in password policy as "never expire". Delete krbPasswordExpiration in user entry when password should never expire. https://fedorahosted.org/freeipa/ticket/2795 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.

https://fedorahosted.org/freeipa/ticket/2795

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
ipapwd_extop should use TARGET_DN defined by a pre-extop plugin 2016-06-24T12:51:15+00:00 Thierry Bordaz tbordaz@redhat.com 2016-06-10T13:34:40+00:00 1ce8d32fd6c09b0bfcb1593e2e5ad8e47eef3670 ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry. If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value of TARGET_DN, instead of using the original one (in the ber req) There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955) https://fedorahosted.org/freeipa/ticket/5946 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
ipapwd_extop allows to update the password on a specific entry, identified by its DN.
It can be usefull to support virtual DN in the extop so that update of a virtual entry
would land into the proper real entry.

If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value
of TARGET_DN, instead of using the original one (in the ber req)
There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955)

https://fedorahosted.org/freeipa/ticket/5946

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-enrollment: set krbCanonicalName attribute on enrolled host entry 2016-06-23T07:48:06+00:00 Martin Babinsky mbabinsk@redhat.com 2015-09-08T15:49:51+00:00 b169a72735fccb170adb5c84ec1bcc10a70e5494 Part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Topology plugins sigsev/heap corruption when adding a managed host 2016-06-22T15:51:53+00:00 root root@vm-058-107.abc.idm.lab.eng.brq.redhat.com 2016-06-22T14:36:15+00:00 a76d4402a6bf68245801f6b65d0569c47aad88c6 A managed host may handle several ipaReplTopoManagedSuffix. Removing (from the topology) such host, loops over the replicated suffixes array to retrieve, in the hosts list, the host record and delete it. The problem is that a variable used to manage a hosts list is not reset when looking at the next suffix. That will messup the lists, keeping freed elements in the lists. The fix is to reset the variable inside the replicated suffix loop https://fedorahosted.org/freeipa/ticket/5977 Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com> 
A managed host may handle several ipaReplTopoManagedSuffix.
Removing (from the topology) such host, loops over the replicated
suffixes array to retrieve, in the hosts list, the host record and delete it.
The problem is that a variable used to manage a hosts list is not reset
when looking at the next suffix. That will messup the lists, keeping
freed elements in the lists.

The fix is to reset the variable inside the replicated suffix loop

https://fedorahosted.org/freeipa/ticket/5977

Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>
v2 - avoid crash in topology plugin when host list contains host with no hostname 2016-06-13T14:25:03+00:00 Ludwig Krispenz lkrispen@redhat.com 2016-06-13T07:51:17+00:00 0b11b36bf215a351050280ab0b329ceda7a9dccf ticket #5928 prevent a crash when dereferncing a NULL hostnam, log an error to help debugging fix an incorrect order of statement when freeing a host list Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> 
ticket #5928

prevent a crash when dereferncing a NULL hostnam, log an error to help debugging
fix an incorrect order of statement when freeing a host list

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
adtrust: support UPNs for trusted domain users 2016-06-11T15:25:50+00:00 Alexander Bokovoy abokovoy@redhat.com 2016-06-06T08:41:46+00:00 bb75f5a5836ea011b8920f8bb8d58c1f4cd9b4c8 Add support for additional user name principal suffixes from trusted Active Directory forests. UPN suffixes are property of the forest and as such are associated with the forest root domain. FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued attribute of ipaNTTrustedDomain object class. In order to look up UPN suffixes, netr_DsRGetForestTrustInformation LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. For more details on UPN and naming in Active Directory see https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx https://fedorahosted.org/freeipa/ticket/5354 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.

FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.

In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.

For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx

https://fedorahosted.org/freeipa/ticket/5354

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
extdom: add certificate request 2016-06-09T12:28:47+00:00 Sumit Bose sbose@redhat.com 2016-04-26T11:22:40+00:00 aa734da49440c5d12c0f8d4566505adaeef254e8 Related to https://fedorahosted.org/freeipa/ticket/4955 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jakub Hrozek <jhrozek@redhat.com> 
Related to https://fedorahosted.org/freeipa/ticket/4955

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Migrate from #ifndef guards to #pragma once 2016-05-29T12:04:45+00:00 Nathaniel McCallum npmccallum@redhat.com 2016-05-24T14:18:43+00:00 4bafba06f2b8cc51cd95a725e1c8adf7bbf9a5fc Using a pragma instead of guards is easier to write, less error prone and avoids name clashes (a source of very subtle bugs). This pragma is supported on almost all compilers, including all the compilers we care about: https://en.wikipedia.org/wiki/Pragma_once#Portability. This patch does not change the autogenerated files: asn1/asn1c/*.h. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.

This patch does not change the autogenerated files: asn1/asn1c/*.h.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Ensure that ipa-otpd bind auths validate an OTP 2016-05-26T16:47:05+00:00 Nathaniel McCallum npmccallum@redhat.com 2016-05-12T19:10:47+00:00 168a6c7d4778a2a3c729e3ac24e4ad9dfacb46c0 Before this patch, if the user was configured for either OTP or password it was possible to do a 1FA authentication through ipa-otpd. Because this correctly respected the configuration, it is not a security error. However, once we begin to insert authentication indicators into the Kerberos tickets, we cannot allow 1FA authentications through this code path. Otherwise the ticket would contain a 2FA indicator when only 1FA was actually performed. To solve this problem, we have ipa-otpd send a critical control during the bind operation which informs the LDAP server that it *MUST* validate an OTP token for authentication to be successful. Next, we implement support for this control in the ipa-pwd-extop plugin. The end result is that the bind operation will always fail if the control is present and no OTP is validated. https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Sumit Bose <sbose@redhat.com> 
Before this patch, if the user was configured for either OTP or password
it was possible to do a 1FA authentication through ipa-otpd. Because this
correctly respected the configuration, it is not a security error.

However, once we begin to insert authentication indicators into the
Kerberos tickets, we cannot allow 1FA authentications through this
code path. Otherwise the ticket would contain a 2FA indicator when
only 1FA was actually performed.

To solve this problem, we have ipa-otpd send a critical control during
the bind operation which informs the LDAP server that it *MUST* validate
an OTP token for authentication to be successful. Next, we implement
support for this control in the ipa-pwd-extop plugin. The end result is
that the bind operation will always fail if the control is present and
no OTP is validated.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>