freeipa.git/daemons, branch coverity FreeIPA patches Simplify date manipulation in pwd plugin 2016-07-25T09:08:55+00:00 Simo Sorce simo@redhat.com 2016-07-19T11:43:50+00:00 ab4fcb0fe25e313c93caae3b90f68b4010a9f2eb Use a helper function to perform operations on dates in LDAP attributes. Related to #2795 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: David Kupka <dkupka@redhat.com> 
Use a helper function to perform operations on dates in LDAP attributes.

Related to #2795

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: David Kupka <dkupka@redhat.com>
Heap corruption in ipapwd plugin 2016-07-19T11:17:37+00:00 Thierry Bordaz tbordaz@redhat.com 2016-07-18T13:00:02+00:00 b04f617803c430b13f8796e911f78bd65f6cf55f ipapwd_encrypt_encode_key allocates 'kset' on the heap but with num_keys and keys not being initialized. Then ipa_krb5_generate_key_data initializes them with the generated keys. If ipa_krb5_generate_key_data fails (here EINVAL meaning no principal->realm.data), num_keys and keys are left uninitialized. Upon failure, ipapwd_keyset_free is called to free 'kset' that contains random num_keys and keys. allocates kset with calloc so that kset->num_keys==0 and kset->keys==NULL https://fedorahosted.org/freeipa/ticket/6030 Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com> 
ipapwd_encrypt_encode_key allocates 'kset' on the heap but
with num_keys and keys not being initialized.
Then ipa_krb5_generate_key_data initializes them with the
generated keys.
If ipa_krb5_generate_key_data fails (here EINVAL meaning no
principal->realm.data), num_keys and keys are left uninitialized.
Upon failure, ipapwd_keyset_free is called to free 'kset'
that contains random num_keys and keys.

allocates kset with calloc so that kset->num_keys==0 and
kset->keys==NULL

https://fedorahosted.org/freeipa/ticket/6030

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
kdb: check for local realm in enterprise principals 2016-07-12T10:26:28+00:00 Sumit Bose sbose@redhat.com 2016-07-06T15:29:37+00:00 6d6da6b281173737bd31ba4845af11a097846c05 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Allow unexpiring passwords 2016-07-01T09:22:02+00:00 David Kupka dkupka@redhat.com 2016-06-30T06:52:33+00:00 d2cb9ed327ee4003598d5e45d80ab7918b89eeed Treat maxlife=0 in password policy as "never expire". Delete krbPasswordExpiration in user entry when password should never expire. https://fedorahosted.org/freeipa/ticket/2795 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.

https://fedorahosted.org/freeipa/ticket/2795

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Bump SSSD version in requires 2016-07-01T08:20:36+00:00 Martin Basti mbasti@redhat.com 2016-06-22T08:49:39+00:00 a635135ba3caa6359c38f305d7982925ef3de50b This is required by commit aa734da49440c5d12c0f8d4566505adaeef254e8 for function sss_nss_getnamebycert() https://fedorahosted.org/freeipa/ticket/4955 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This is required by commit aa734da49440c5d12c0f8d4566505adaeef254e8 for
function sss_nss_getnamebycert()

https://fedorahosted.org/freeipa/ticket/4955

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipapwd_extop should use TARGET_DN defined by a pre-extop plugin 2016-06-24T12:51:15+00:00 Thierry Bordaz tbordaz@redhat.com 2016-06-10T13:34:40+00:00 1ce8d32fd6c09b0bfcb1593e2e5ad8e47eef3670 ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry. If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value of TARGET_DN, instead of using the original one (in the ber req) There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955) https://fedorahosted.org/freeipa/ticket/5946 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
ipapwd_extop allows to update the password on a specific entry, identified by its DN.
It can be usefull to support virtual DN in the extop so that update of a virtual entry
would land into the proper real entry.

If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value
of TARGET_DN, instead of using the original one (in the ber req)
There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955)

https://fedorahosted.org/freeipa/ticket/5946

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-enrollment: set krbCanonicalName attribute on enrolled host entry 2016-06-23T07:48:06+00:00 Martin Babinsky mbabinsk@redhat.com 2015-09-08T15:49:51+00:00 b169a72735fccb170adb5c84ec1bcc10a70e5494 Part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
ipa-kdb: set krbCanonicalName when creating new principals 2016-06-23T07:48:06+00:00 Martin Babinsky mbabinsk@redhat.com 2015-09-08T15:36:47+00:00 7ed7a86511ec516c2f785968050f5d0a42978ba5 Additionally, stop setting ipakrbprincipalalias attribute during principal creation. Part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Additionally, stop setting ipakrbprincipalalias attribute during principal
creation.

Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
perform case-insensitive principal search when canonicalization is requested 2016-06-23T07:48:06+00:00 Martin Babinsky mbabinsk@redhat.com 2015-09-08T14:45:23+00:00 e43231456d8de954423582dbee439e330573d04b When canonicalization is requested, the krbprincipalname attribute is searched for case-insensitively. In the case that krbcanonicalname is not set, the matched alias is returned with the casing stored in backend, not the one input by client. Part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
When canonicalization is requested, the krbprincipalname attribute is searched
for case-insensitively.

In the case that krbcanonicalname is not set, the matched alias is returned
with the casing stored in backend, not the one input by client.

Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Topology plugins sigsev/heap corruption when adding a managed host 2016-06-22T15:51:53+00:00 root root@vm-058-107.abc.idm.lab.eng.brq.redhat.com 2016-06-22T14:36:15+00:00 a76d4402a6bf68245801f6b65d0569c47aad88c6 A managed host may handle several ipaReplTopoManagedSuffix. Removing (from the topology) such host, loops over the replicated suffixes array to retrieve, in the hosts list, the host record and delete it. The problem is that a variable used to manage a hosts list is not reset when looking at the next suffix. That will messup the lists, keeping freed elements in the lists. The fix is to reset the variable inside the replicated suffix loop https://fedorahosted.org/freeipa/ticket/5977 Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com> 
A managed host may handle several ipaReplTopoManagedSuffix.
Removing (from the topology) such host, loops over the replicated
suffixes array to retrieve, in the hosts list, the host record and delete it.
The problem is that a variable used to manage a hosts list is not reset
when looking at the next suffix. That will messup the lists, keeping
freed elements in the lists.

The fix is to reset the variable inside the replicated suffix loop

https://fedorahosted.org/freeipa/ticket/5977

Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>