summaryrefslogtreecommitdiffstats
path: root/daemons
Commit message (Collapse)AuthorAgeFilesLines
* libotp: do not call internal search for NULL dnAlexander Bokovoy2014-02-211-1/+6
| | | | Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Teach ipa-pwd-extop to respect global ipaUserAuthType settingsNathaniel McCallum2014-02-217-406/+398
| | | | | | https://fedorahosted.org/freeipa/ticket/4105 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP sync support to ipa-pwd-extopNathaniel McCallum2014-02-219-970/+373
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP last token pluginNathaniel McCallum2014-02-216-0/+219
| | | | | | | | | | This plugin prevents the deletion or deactivation of the last valid token for a user. This prevents the user from migrating back to single factor authentication once OTP has been enabled. Thanks to Mark Reynolds for helping me with this patch. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-7/+36
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add support to ipa-kdb for keyless principalsNathaniel McCallum2014-02-191-0/+18
| | | | | | https://fedorahosted.org/freeipa/ticket/3779 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add libotp internal library for slapi pluginsNathaniel McCallum2014-02-148-0/+970
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Enable building in C99 modeNathaniel McCallum2014-02-141-1/+1
| | | | | | | | | | | | | C99 is supported on all compilers we target and provides some useful features, including: * Standard struct initializers * Compound literals * For-loop declarations * Standard bool type * Variable arrays (use with caution) * Too many others to mention... Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-kdb: validate that an OTP user has tokensNathaniel McCallum2014-02-143-25/+135
| | | | | | | | | | | | This handles the case where a user is configured for OTP in ipaUserAuthType, but the user has not yet created any tokens. Until the user creates tokens, the user should still be able to log in via password. This logic already exists in LDAP, but ipa-kdb needs to perform the same validation to know what data to return to the KDC. https://fedorahosted.org/freeipa/ticket/4154 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Move ipa-otpd socket directoryNathaniel McCallum2014-02-113-6/+6
| | | | | https://fedorahosted.org/freeipa/ticket/4167 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipa-lockout: do not fail when default realm cannot be readMartin Kosek2014-02-041-17/+17
| | | | | | | | | | | When ipa-lockout plugin is started during FreeIPA server installation, the default realm may not be available and plugin should then not end with failure. Similarly to other plugins, start in degraded mode in this situation. Operation is fully restored during the final services restart. https://fedorahosted.org/freeipa/ticket/4085
* Fallback to global policy in ipa-lockout pluginMartin Kosek2014-02-031-0/+34
| | | | | | | | | | krbPwdPolicyReference is no longer filled default users. Instead, plugins fallback to hardcoded global policy reference. Fix ipa-lockout plugin to fallback to it instead of failing to apply the policy. https://fedorahosted.org/freeipa/ticket/4085
* BUILD: Fix portability of NSS in file ipa_pwd.cLukas Slebodnik2014-01-282-1/+4
| | | | Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
* CLDAP: add unit tests for make_netbios_nameSumit Bose2014-01-232-0/+87
|
* CLDAP: generate NetBIOS name like ipa-adtrust-install doesSumit Bose2014-01-232-14/+35
| | | | Fixes https://fedorahosted.org/freeipa/ticket/4116
* ipasam: delete trusted child domains before removing the trustAlexander Bokovoy2014-01-211-1/+44
| | | | | | | LDAP protocol doesn't allow deleting non-leaf entries. One needs to remove all leaves first before removing the tree node. https://fedorahosted.org/freeipa/ticket/4126
* Harmonize policy discovery to kdb driverSimo Sorce2014-01-161-89/+17
| | | | | | | | | | | The KDB driver does not walk the tree back like the original password plugin. Also we do not store the default policy in the base DN as we used to do in the past anymore. So doing a full subtree search and walking back the tree is just a waste of time. Instead hardcode the default policy like we do in the kdb driver. Fixes: https://fedorahosted.org/freeipa/ticket/4085
* CLDAP: do not prepend \\Sumit Bose2014-01-151-1/+1
| | | | | | | | | For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in the PDC NetBIOS name. In general AD seems to be smart enough to handle the two \ signs. But if the NetBIOS name reaches the maximum of 15 character AD does not accept the responses anymore. Fixes https://fedorahosted.org/freeipa/ticket/4028
* Use /usr/bin/python2Xiao-Long Chen2014-01-031-1/+1
| | | | | | | | | | | | Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com
* ipa-cldap: Cut NetBIOS name after 15 charactersTomas Babej2013-12-112-1/+6
| | | | | | | | The CLDAP DS plugin uses the uppercased first segment of the fully qualified hostname as the NetBIOS name. We need to limit its size to 15 characters. https://fedorahosted.org/freeipa/ticket/4028
* Remove CFLAGS duplication.Jan Cholasta2013-12-0614-16/+3
| | | | https://fedorahosted.org/freeipa/ticket/3896
* Fix compilation error in ipa-cldap.Jan Cholasta2013-12-061-1/+3
| | | | https://fedorahosted.org/freeipa/ticket/3896
* Include LDFLAGS provided by rpmbuild in global LDFLAGS in the spec file.Jan Cholasta2013-12-061-1/+1
| | | | | | Remove explicitly specified hardening flags from LDFLAGS in ipa-otpd. https://fedorahosted.org/freeipa/ticket/3896
* Clarify error message about IPv6 socket creation in ipa-cldap pluginPetr Spacek2013-12-031-1/+2
| | | | https://fedorahosted.org/freeipa/ticket/4056
* Use hardening flags for ipa-optd.Jan Cholasta2013-12-021-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/4010
* Add krbticketPolicyAux objectclass if neededSimo Sorce2013-11-262-0/+35
| | | | | | When modifying ticket flags add the objectclass to the object if it is missing. https://fedorahosted.org/freeipa/ticket/3901
* Remove generation and handling of LM hashesSumit Bose2013-11-015-81/+22
| | | | https://fedorahosted.org/freeipa/ticket/3795
* Remove ipa-pwd-extop and ipa-enrollment duplicate error stringsMartin Kosek2013-10-302-11/+17
| | | | | | | Some error strings were duplicate which makes it then harder to see what is the real root cause of it. https://fedorahosted.org/freeipa/ticket/3988
* Administrative password change does not respect password policyMartin Kosek2013-10-171-15/+29
| | | | | | | | | When Directory Manager or a PassSync agent is changing a password, it is not being expired, but standard expiration time should apply. However, default expiration time was always applied (90 days) even though administrator may have a custom policy for the user. https://fedorahosted.org/freeipa/ticket/3968
* Use the right attribute with ipapwd_entry_checks for MagicRegenSumit Bose2013-10-081-1/+2
| | | | | | | | | | | | | There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos key is available for the corresponding user. This is typically triggered by samba via the ipa_sam passdb plugin. The principal used by samba to connect to the IPA directory server has the right to modify ipaNTHash but no other password attribute. This means that the current check on the userPassword attribute is too strict for this case and leads to a failure of the whole operation. With this patch the access right on ipaNTHash are checked if no other password operations are requested.
* ipa-kdb: Handle parent-child relationship for subdomainsAlexander Bokovoy2013-10-041-10/+99
| | | | | | | | | | | | | | | | | When MS-PAC information is re-initialized, record also parent-child relationship between trust root level domain and its subdomains. Use parent incoming SID black list to check if child domain is not allowed to access IPA realm. We also should really use 'cn' of the entry as domain name. ipaNTTrustPartner has different meaning on wire, it is an index pointing to the parent domain of the domain and will be 0 for top level domains or disjoint subdomains of the trust. Finally, trustdomain-enable and trustdomain-disable commands should force MS-PAC cache re-initalization in case of black list change. Trigger that by asking for cross-realm TGT for HTTP service.
* KDC: implement transition check for trusted domainsAlexander Bokovoy2013-10-043-2/+68
| | | | | | | | | | | | When client principal requests for a ticket for a server principal and we have to perform transition, check that all three belong to either our domain or the domains we trust through forest trusts. In case all three realms (client, transition, and server) match trusted domains and our domain, issue permission to transition from client realm to server realm. Part of https://fedorahosted.org/freeipa/ticket/3909
* ipasam: for subdomains pick up defaults for missing valuesAlexander Bokovoy2013-10-041-0/+12
| | | | | | We don't store trust type, attributes, and direction for subdomains of the existing trust. Since trust is always forest level, these parameters can be added as defaults when they are missing.
* Ensure credentials structure is initializedNathaniel McCallum2013-10-021-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3953
* CLDAP: do not read IPA domain from hostnameSumit Bose2013-09-271-47/+25
| | | | | | | | | | | | Currently the CLDAP plugin determines the IPA domain name by reading the current host name and splitting of the domain part. But since an IPA server does not have to be in a DNS domain which has the same name as the IPA domain this may fail. The domain name was used to search the ipaNTDomainAttrs object, but since this object is unique in the tree it is sufficient to use the objectclass in the search filter. Now the IPA domain can be read from the ipaNTDomainAttrs object as well. Fixes https://fedorahosted.org/freeipa/ticket/3941
* ipa-sam: report supported enctypes based on Kerberos realm configurationAlexander Bokovoy2013-09-201-12/+117
| | | | | | | | | | | | | | | | | | | We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX. Along other configuration options, this container has list of default supported encryption types, in krbDefaultEncSaltTypes. Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert discovered list to the mask of supported encryption types according to security.idl from Samba: typedef [public,bitmap32bit] bitmap { KERB_ENCTYPE_DES_CBC_CRC = 0x00000001, KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002, KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004, KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008, KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010 } kerb_EncTypes; Part of https://fedorahosted.org/freeipa/ticket/3898
* ipa-sam: do not leak LDAPMessage on ipa-sam initializationAlexander Bokovoy2013-09-201-2/+7
| | | | | | | | We used to handle some of code paths to free memory allocated by the LDAP library but there are few more unhandled. In addition, search result wasn't freed on successful initialization, leaking for long time. https://fedorahosted.org/freeipa/ticket/3913
* ipa-sam: do not modify objectclass when trust object already createdAlexander Bokovoy2013-09-201-41/+71
| | | | | | | | | | | When trust is established, last step done by IPA framework is to set encryption types associated with the trust. This operation fails due to ipa-sam attempting to modify object classes in trust object entry which is not allowed by ACI. Additionally, wrong handle was used by dcerpc.py code when executing SetInformationTrustedDomain() against IPA smbd which prevented even to reach the point where ipa-sam would be asked to modify the trust object.
* Fix -Wformat-security warningsKrzysztof Klimonda2013-09-162-7/+7
|
* Add Delegation Info to MS-PACSimo Sorce2013-09-131-2/+160
| | | | https://fedorahosted.org/freeipa/ticket/3442
* EXTDOM: Do not overwrite domain_name for INP_SIDJakub Hrozek2013-08-291-2/+0
|
* CLDAP: make sure an empty reply is returned on any errorSumit Bose2013-08-291-1/+2
| | | | | | If ipa_cldap_decode() reply is not initialized. Fixes https://fedorahosted.org/freeipa/ticket/3885
* Re-order NULL check in ipa_lockout.Rob Crittenden2013-08-291-2/+1
| | | | | | | | There is no risk of crash here as slapi_valueset_first_value() can handle the case where the valueset is NULL, but there is no point in calling that if we know there are no values. https://fedorahosted.org/freeipa/ticket/3880
* kdb-princ: Fix memory leakSimo Sorce2013-08-281-0/+1
| | | | | | | | | | If we do not store the keys in the entry we need to free the array before continuing or the data is leaked. CoverityID: 11910 Fixes: https://fedorahosted.org/freeipa/ticket/3884
* kdb-mspac: Fix out of bounds memsetSimo Sorce2013-08-281-1/+1
| | | | | | | | | | This memset was harmless as the following data is then set again, but an optimizing compiler might conceivably reorder instructions causing issues. CoverityID: 11909 Fixes: https://fedorahosted.org/freeipa/ticket/3883
* pwd-plugin: Fix ignored return errorSimo Sorce2013-08-281-3/+8
| | | | | | | | | CoverityID: 11904 Also remove 'inline', the compiler can do it on its own if needed. Fixes: https://fedorahosted.org/freeipa/ticket/3882
* Prevent *.pyo and *.pyc multilib problemsMartin Kosek2013-08-131-0/+1
| | | | | | | | | | | | | Differences in the python byte code fails in a build validation (rpmdiff) done on difference architecture of the same package. This patch: 1) Ensures that timestamps of generated *.pyo and *.pyc files match 2) Python integer literals greater or equal 2^32 and lower than 2^64 are converted to long right away to prevent different type of the integer on architectures with different size of int https://fedorahosted.org/freeipa/ticket/3858
* Remove unused variableLukas Slebodnik2013-07-251-2/+0
| | | | Variable was set, but it was not used.
* Remove unused variableLukas Slebodnik2013-07-251-1/+0
|
* Use right function prototype for thread functionLukas Slebodnik2013-07-252-2/+4
| | | | warning: passing argument from incompatible pointer type
generated by cgit (git 2.34.1) at 2025-05-20 12:18:46 +0000