freeipa.git/daemons, branch ipa-2-2 FreeIPA patches Add support for disabling KDC writes 2012-06-07T02:11:41+00:00 Simo Sorce ssorce@redhat.com 2012-05-23T16:35:44+00:00 97e362681ff9c81d76b6b015467309f90e301bce Add two global ipaConfig options to disable undesirable writes that have performance impact. The "KDC:Disable Last Success" will disable writing back to ldap the last successful AS Request time (successful kinit) The "KDC:Disable Lockout" will disable completely writing back lockout related data. This means lockout policies will stop working. https://fedorahosted.org/freeipa/ticket/2734 
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734
Check for locked-out user before incrementing lastfail. 2012-05-18T07:03:35+00:00 Rob Crittenden rcritten@redhat.com 2012-05-17T17:17:21+00:00 608d297cb9f19b80587514b7a7cfa3b686ecf3e7 If a user become locked due to too many failed logins and then were unlocked by an administrator, the account would not lock again. This was caused by two things: - We were incrementing the fail counter before checking to see if the account was already locked out. - The current fail count wasn't taken into consideration when deciding if the account is locked. The sequence was this: 1. Unlocked account, set failcount to 0 2. Failed login, increment failcount 3. Within lastfailed + lockout_duration, still locked. This skips update the last_failed date. So I reversed 2 and 3 and check to see if the fail count exceeds policy. https://fedorahosted.org/freeipa/ticket/2765 
If a user become locked due to too many failed logins and then were
unlocked by an administrator, the account would not lock again. This
was caused by two things:

 - We were incrementing the fail counter before checking to see if the
   account was already locked out.
 - The current fail count wasn't taken into consideration when
   deciding if the account is locked.

The sequence was this:

1. Unlocked account, set failcount to 0
2. Failed login, increment failcount
3. Within lastfailed + lockout_duration, still locked. This skips
   update the last_failed date.

So I reversed 2 and 3 and check to see if the fail count exceeds policy.

https://fedorahosted.org/freeipa/ticket/2765
Fix migration code password setting. 2012-05-17T15:18:12+00:00 Simo Sorce ssorce@redhat.com 2012-05-17T14:33:43+00:00 f883b2547d887eac7976d0372f5b25d48a1b3a4d When we set a password we also need to make sure krbExtraData is set. If not kadmin will later complain that the object is corrupted at password change time. Ticket: https://fedorahosted.org/freeipa/ticket/2764 
When we set a password we also need to make sure krbExtraData is set.
If not kadmin will later complain that the object is corrupted at password
change time.

Ticket: https://fedorahosted.org/freeipa/ticket/2764
Fix failure count interval attribute name in query for password policy. 2012-03-29T04:52:33+00:00 Rob Crittenden rcritten@redhat.com 2012-03-29T21:40:11+00:00 27ae10df9fab03aef72dd79eb0e67b02021f8982 This was causing the failure count interval to not be applied so the failure count was never reset to 0. https://fedorahosted.org/freeipa/ticket/2540 
This was causing the failure count interval to not be applied so
the failure count was never reset to 0.

https://fedorahosted.org/freeipa/ticket/2540
Fix memleak and silence Coverity defects 2012-03-22T16:33:24+00:00 Simo Sorce ssorce@redhat.com 2012-03-20T13:47:52+00:00 5ffa1c70acf22dab1fea5d89474d91ec7df25068 Some of these are not real defects, because we are guaranteed to have valid context in some functions, and checks are not necessary. I added the checks anyway in order to silence Coverity on these issues. One meleak on error condition was fixed in daemons/ipa-kdb/ipa_kdb_pwdpolicy.c Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is actually fine as we count before hand so we never actually use the wrong value that is computed on the last pass when p == 0 Fixes: https://fedorahosted.org/freeipa/ticket/2488 
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.

One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c

Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0

Fixes: https://fedorahosted.org/freeipa/ticket/2488
Treat UPGs correctly in winsync replication 2012-03-15T08:57:47+00:00 Martin Kosek mkosek@redhat.com 2012-03-06T14:59:20+00:00 16918715dd4b964d5d861a3075b356918034e908 IPA winsync plugin failed to replicate users when default user group was non-posix even though User Private Groups (UPG) were enabled on the server. Both their uidNumber and gidNumber were empty and they missed essential object classes. When the default user group was made posix and UPG was disabled it did not set gidNumber to the default group gidNumber. This patch improves this behavior to set gidNumber correctly according to UPG configuration and the default group status (posix/non-posix). 4 situations can occur, the following list specifies what value is assigned to user gidNumber: 1) Default group posix, UPG enabled: gidNumber = UPG gidNumber 2) Default group posix, UPG disabled: gidNumber = default group gidNumber 3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber 4) Default group non-posix, UPG disabled: an error is printed to the dirsrv log as the gidNumber cannot be retrieved. User is replicated in the same way as before this patch, i.e. without essential object classes. https://fedorahosted.org/freeipa/ticket/2436 
IPA winsync plugin failed to replicate users when default user group
was non-posix even though User Private Groups (UPG) were enabled
on the server. Both their uidNumber and gidNumber were empty and
they missed essential object classes. When the default user group
was made posix and UPG was disabled it did not set gidNumber to
the default group gidNumber.

This patch improves this behavior to set gidNumber correctly
according to UPG configuration and the default group status
(posix/non-posix). 4 situations can occur, the following list
specifies what value is assigned to user gidNumber:
 1) Default group posix, UPG enabled: gidNumber = UPG gidNumber
 2) Default group posix, UPG disabled: gidNumber = default
    group gidNumber
 3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
 4) Default group non-posix, UPG disabled: an error is printed to
    the dirsrv log as the gidNumber cannot be retrieved. User
    is replicated in the same way as before this patch, i.e.
    without essential object classes.

https://fedorahosted.org/freeipa/ticket/2436
ipa-kdb: fix delegation acl check 2012-02-28T18:03:42+00:00 Simo Sorce ssorce@redhat.com 2012-02-28T15:47:18+00:00 fd54775b3e7dc0439dcc11a0cf6bbecb45eb19d4 We need to check for a matching acl only if one match hasn't already been found, otherwise results are unpredictable and order dependent. 
We need to check for a matching acl only if one match hasn't already been
found, otherwise results are unpredictable and order dependent.
policy: add function to check lockout policy 2012-02-20T01:43:58+00:00 Simo Sorce ssorce@redhat.com 2012-02-17T16:45:56+00:00 9fbe19adb43a758d91042289ea1c69114469e663 Fixes: https://fedorahosted.org/freeipa/ticket/2393 
Fixes: https://fedorahosted.org/freeipa/ticket/2393
ipa-kdb: Fix ACL evaluator 2012-02-20T09:54:56+00:00 Simo Sorce ssorce@redhat.com 2012-02-17T23:19:01+00:00 cb3e0ae755efefb094fe5f7985905372c4291686 Fixes: https://fedorahosted.org/freeipa/ticket/2343 
Fixes: https://fedorahosted.org/freeipa/ticket/2343
ipa-kdb: set krblastpwdchange only when keys have been effectively changed 2012-02-15T09:51:25+00:00 Simo Sorce ssorce@redhat.com 2012-02-14T03:43:15+00:00 c8cdb75e9bf72f9ef48eab2544c27d4303ef56c2