freeipa.git/daemons, branch my-master FreeIPA patches CLDAP: Return empty reply on non-fatal errors 2013-05-23T19:08:52+00:00 Simo Sorce simo@redhat.com 2013-05-23T14:06:22+00:00 fd1fb069a36e2810dc45751ab452d7c5406f3e6c Windows DCs return an empty reply when a legal request cannot satisfied. If we get EINVAL or ENOENT it means the information requested could not be found or input parameters were bogus. Always return an empty reply in these cases. On any other internal error just return, the request may have been legit but we can't really handle it right now, pretend we never saw it and hope the next attempt will succeed. Fixes: https://fedorahosted.org/freeipa/ticket/3639 Signed-off-by: Simo Sorce <simo@redhat.com> 
Windows DCs return an empty reply when a legal request cannot satisfied.
If we get EINVAL or ENOENT it means the information requested could not be
found or input parameters were bogus.
Always return an empty reply in these cases.

On any other internal error just return, the request may have been legit but we
can't really handle it right now, pretend we never saw it and hope the next
attempt will succeed.

Fixes: https://fedorahosted.org/freeipa/ticket/3639

Signed-off-by: Simo Sorce <simo@redhat.com>
CLDAP: Fix domain handling in netlogon requests 2013-05-23T16:55:27+00:00 Simo Sorce simo@redhat.com 2013-05-23T14:04:11+00:00 47256da0944c1c346cbae9b8c7c8a13cb210844d 1. Stop using getdomainname() as it is often not properly initialized 2. The code using getdomainname() was not working anyway it was trying to look at the function call output in hostname which is always empty at that point. 3. Always check the requested domain matches our own, we cannot reply to anything else anyway. Pre-requisite to fix: https://fedorahosted.org/freeipa/ticket/3639 Signed-off-by: Simo Sorce <simo@redhat.com> 
1. Stop using getdomainname() as it is often not properly initialized
2. The code using getdomainname() was not working anyway it was trying to
look at the function call output in hostname which is always empty at that
point.
3. Always check the requested domain matches our own, we cannot reply to
anything else anyway.

Pre-requisite to fix: https://fedorahosted.org/freeipa/ticket/3639

Signed-off-by: Simo Sorce <simo@redhat.com>
WIP: Check for account/pw expiration in pre-bind 2013-05-23T16:55:27+00:00 Simo Sorce simo@redhat.com 2013-05-09T18:25:14+00:00 6b4066ff5c7472aecaffd158615e549e1e9fc419 Insure user accounts are valid and the password is not expired before allowing a password bind. TODO: handle returning a control with more detailed information about failures (only if explicitly requested by client) 
Insure user accounts are valid and the password is not expired
before allowing a password bind.

TODO: handle returning a control with more detailed information about
failures (only if explicitly requested by client)
Add Delegation Info to MS-PAC 2013-05-23T16:55:27+00:00 Simo Sorce simo@redhat.com 2013-02-05T22:50:55+00:00 c931c97558352a4bc35e4bac5de1f63a71ce73dd 






NO-PUSH: TODO and 2.0->3.0 upgrade notes
2013-05-23T16:55:27+00:00

Simo Sorce
ssorce@redhat.com

2011-06-08T22:36:34+00:00

915a49093b9578e96fe5ae30d0f7f9cd1b869db4












NO-PUSH: silence libtool a bit
2013-05-23T16:55:27+00:00

Simo Sorce
ssorce@redhat.com

2011-06-14T20:04:59+00:00

c8516db09601fdd9e77727c4dd6ca017feb7272e












Add OTP support to ipa-pwd-extop
2013-05-17T07:30:51+00:00

Nathaniel McCallum
npmccallum@redhat.com

2013-04-16T20:00:09+00:00

5b58348cd316dd817672cb81358ed557c28e09d3

During LDAP bind, this now plugin determines if a user is enabled
for OTP authentication. If so, then the OTP is validated in addition
to the password. This allows 2FA during user binds.

    https://fedorahosted.org/freeipa/ticket/3367
    http://freeipa.org/page/V3/OTP





During LDAP bind, this now plugin determines if a user is enabled
for OTP authentication. If so, then the OTP is validated in addition
to the password. This allows 2FA during user binds.

    https://fedorahosted.org/freeipa/ticket/3367
    http://freeipa.org/page/V3/OTP







Remove unnecessary prefixes from ipa-pwd-extop files
2013-05-17T07:30:51+00:00

Nathaniel McCallum
npmccallum@redhat.com

2013-05-09T18:43:17+00:00

1e1bab4edc0ce4b70a370deac8109092b53b97a2












Add the krb5/FreeIPA RADIUS companion daemon
2013-05-17T07:30:51+00:00

Nathaniel McCallum
npmccallum@redhat.com

2013-04-11T18:03:25+00:00

203754691c28243dd3cf378e98390fc0a455b485

This daemon listens for RADIUS packets on a well known
UNIX domain socket. When a packet is received, it queries
LDAP to see if the user is configured for RADIUS authentication.
If so, then the packet is forwarded to the 3rd party RADIUS server.
Otherwise, a bind is attempted against the LDAP server.

https://fedorahosted.org/freeipa/ticket/3366
http://freeipa.org/page/V3/OTP





This daemon listens for RADIUS packets on a well known
UNIX domain socket. When a packet is received, it queries
LDAP to see if the user is configured for RADIUS authentication.
If so, then the packet is forwarded to the 3rd party RADIUS server.
Otherwise, a bind is attempted against the LDAP server.

https://fedorahosted.org/freeipa/ticket/3366
http://freeipa.org/page/V3/OTP







ipa-kdb: Add OTP support
2013-05-17T07:30:51+00:00

Nathaniel McCallum
npmccallum@redhat.com

2013-04-11T17:50:42+00:00

5d51ae50a59466fa2d6d230d7f2879de34210f0c

If OTP is enabled for a user, then:
  1. Long-term keys are not provided to KDB
  2. The user string 'otp' is defined to KDB

Since it is not secure to send radius configuration information
over krb5 user strings, we simply set the string to a known default
('[]') which enables the default configuration in the KDC.

https://fedorahosted.org/freeipa/ticket/3561
http://freeipa.org/page/V3/OTP





If OTP is enabled for a user, then:
  1. Long-term keys are not provided to KDB
  2. The user string 'otp' is defined to KDB

Since it is not secure to send radius configuration information
over krb5 user strings, we simply set the string to a known default
('[]') which enables the default configuration in the KDC.

https://fedorahosted.org/freeipa/ticket/3561
http://freeipa.org/page/V3/OTP