freeipa.git/daemons, branch fix_ber_scanf FreeIPA patches extdom: use sss_nss_*_timeout calls 2019-09-12T07:48:13+00:00 Tomas Halman thalman@redhat.com 2019-09-10T11:46:08+00:00 84b6c0f53b9ebdd4c01181898499bb6992aa9e8a Use nss calls with timeout in extdom plugin Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Use nss calls with timeout in extdom plugin

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
extdom: plugin doesn't use timeout in blocking call 2019-09-12T07:48:13+00:00 Tomas Halman thalman@redhat.com 2019-09-10T11:32:45+00:00 5f898c3c614f4165f0eb15c3aad2157689fbbcfe Expose nss timeout parameter. Use sss_nss_getorigbyname_timeout instead of sss_nss_getorigbyname Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Expose nss timeout parameter. Use sss_nss_getorigbyname_timeout
instead of sss_nss_getorigbyname

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
extdom: plugin doesn't allow @ in group name 2019-09-12T07:48:13+00:00 Tomas Halman thalman@redhat.com 2019-09-03T14:33:54+00:00 e5f04258b5b3fb6c04c28ddd38ae251c822e80bc Old implementation handles username and group names with one common call. Character @ is used in the call to detect UPN. Group name can legaly contain this character and therefore the common approach doesn't work in such case. Also the original call is less efficient because it tries to resolv username allways then it fallback to group resolution. Here we implement two new separate calls for resolving users and groups. Fixes: https://bugzilla.redhat.com/1746951 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Old implementation handles username and group names with
one common call. Character @ is used in the call to detect UPN.

Group name can legaly contain this character and therefore the
common approach doesn't work in such case.

Also the original call is less efficient because it tries to resolv
username allways then it fallback to group resolution.

Here we implement two new separate calls for resolving users and
groups.

Fixes: https://bugzilla.redhat.com/1746951
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Implement user pre-authentication control with kdcpolicy plugin 2019-09-10T09:33:21+00:00 Changmin Teng cteng@redhat.com 2019-08-05T21:49:28+00:00 15ff9c8fecdff5556e27b7c9eebd45d327044bc0 We created a Kerberos kdcpolicy plugin to enforce user pre-authentication policy for newly added pkinit and hardened policy. In the past version of freeIPA, password enforcement exists but was done by removing key data for a principal while parsing LDAP entry for it. This hack is also removed and is now also enforced by kdcpolicy plugin instead. Resolves: https://pagure.io/freeipa/issue/8001 Signed-off-by: Changmin Teng <cteng@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
We created a Kerberos kdcpolicy plugin to enforce user
pre-authentication policy for newly added pkinit and hardened policy.

In the past version of freeIPA, password enforcement exists but was done
by removing key data for a principal while parsing LDAP entry for it.
This hack is also removed and is now also enforced by kdcpolicy plugin
instead.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Add a skeleton kdcpolicy plugin 2019-09-10T09:33:21+00:00 Robbie Harwood rharwood@redhat.com 2018-07-11T20:48:01+00:00 179c8f4009adc30b9b3c497855f15927016c84db Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Extend the list of supported pre-auth mechanisms in IPA server API 2019-09-10T09:33:21+00:00 Changmin Teng cteng@redhat.com 2019-07-29T15:00:35+00:00 d0570404ef5a79dfc08d7959d21e9e4843973faf As new authentication indicators implemented, we also modified server API to support those new values. Also, "krbprincipalauthind" attribute is modified to use a pre-defined set of values instead of arbitrary strings. Resolves: https://pagure.io/freeipa/issue/8001 Signed-off-by: Changmin Teng <cteng@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
As new authentication indicators implemented, we also modified server
API to support those new values. Also, "krbprincipalauthind" attribute
is modified to use a pre-defined set of values instead of arbitrary
strings.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Fix NULL pointer dereference in maybe_require_preauth() 2019-09-05T18:53:55+00:00 Robbie Harwood rharwood@redhat.com 2019-09-04T17:48:14+00:00 45b4f5377bf3921406271148e18a3b99acfee03b ipadb_get_global_config() is permitted to return NULL. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
ipadb_get_global_config() is permitted to return NULL.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Log INFO message when LDAP connection fails on startup 2019-09-05T18:53:55+00:00 Robbie Harwood rharwood@redhat.com 2019-08-02T19:55:20+00:00 9414b038e714043d87dc0646dd9af3933896a75a Since krb5_klog_syslog() always needs parameters from syslog.h, move the include into ipa_krb5.h. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Since krb5_klog_syslog() always needs parameters from syslog.h, move the
include into ipa_krb5.h.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-extdom-extop: test timed out getgrgid_r 2019-08-19T08:20:57+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-08-19T07:15:50+00:00 c78cb9404e4fad9a8f4f778cee59c1c2b9038a49 Simulate getgrgid_r() timeout when packing list of groups user is a member of in pack_ber_user(). Related: https://pagure.io/freeipa/issue/8044 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Simulate getgrgid_r() timeout when packing list of groups user is a
member of in pack_ber_user().

Related: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT 2019-08-19T08:20:57+00:00 Sumit Bose sbose@redhat.com 2019-06-14T09:13:54+00:00 9fe984fed7a7091bd1366be95fdfa2f56f777bb8 A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to remove the searched object from the cache. As a consequence LDAP_NO_SUCH_OBJECT should only be returned if the object really does not exists otherwise the data of existing objects might be removed form the cache of the clients causing unexpected behaviour like authentication errors. Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code. With this patch LDAP_NO_SUCH_OBJECT is only returned if the related lookup functions return ENOENT. Timeout related error code will lead to LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default error code. Fixes: https://pagure.io/freeipa/issue/8044 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to
remove the searched object from the cache. As a consequence
LDAP_NO_SUCH_OBJECT should only be returned if the object really does
not exists otherwise the data of existing objects might be removed form
the cache of the clients causing unexpected behaviour like
authentication errors.

Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code.
With this patch LDAP_NO_SUCH_OBJECT is only returned if the related
lookup functions return ENOENT. Timeout related error code will lead to
LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default
error code.

Fixes: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>