summaryrefslogtreecommitdiffstats
path: root/src/plugins/kdb/ldap
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove db_supported_realms and db_free_supported_realms from the DALGreg Hudson2010-07-024-26/+0
| | | | | | | | | | table, and remove the corresponding libkdb5 interfaces (which don't seem to have been in the library export table). ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24158 dc483132-0cff-0310-8789-dd5450dbe970
* DAL improvementsGreg Hudson2010-07-022-3/+4
| | | | | | | | | | | | | | | | | | | Add KRB5_KDB_API_VERSION to allow callers to adjust to incompatible changes in libkdb; to be kept in sync with the libkdb major version, which is bumped to 5 in anticipation of other changes. Add KRB5_KDB_DAL_VERSION to allow database modules to detect when they are mismatched with the KDB version. Since KDB modules are often developed concurrently with trunk code, this is defined to be the date of the last incompatible DAL change. The DAL version is passed to the init_library DAL function; the module should check it against the value of KRB5_KDB_DAL_VERSION it was compiled with and return KRB5_KDB_DBTYPE_MISMATCH if it doesn't match. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24157 dc483132-0cff-0310-8789-dd5450dbe970
* make dependGreg Hudson2010-06-072-136/+141
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24119 dc483132-0cff-0310-8789-dd5450dbe970
* Add lockout-related performance tuning variablesGreg Hudson2010-05-103-16/+74
| | | | | | | | | | | | | | | The account lockout feature of krb5 1.8 came at a cost in database accesses for principals requiring preauth, even if lockout is not used. Add dbmodules variables disable_last_success and disable_lockout for the DB2 and LDAP back ends, allowing the admin to recover the lost performance at the cost of new functionality. (Unrelated documentation fix: document database_name as a DB2-specific dbmodules variable instead of the realm variable it used to be.) ticket: 6719 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24003 dc483132-0cff-0310-8789-dd5450dbe970
* Make KADM5_FAIL_AUTH_COUNT_INCREMENT more robust with LDAPGreg Hudson2010-05-101-22/+29
| | | | | | | | | | | | | | | | | In krb5_ldap_put_principal, use krb5_get_attributes_mask to determine whether krbLoginFailedCount existed on the entry when it was retrieved. If it didn't exist, don't try to use LDAP_MOD_INCREMENT, and don't assert an old value when not using LDAP_MOD_INCREMENT. Also, create the krbLoginFailedCount attribute when creating new entries. This allows us to use LDAP_MOD_INCREMENT during the first failed login (if the server supports it), avoiding a race condition. ticket: 6718 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24002 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust for removal of krb5_ldap_set_option in r23965Tom Yu2010-05-041-1/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23972 dc483132-0cff-0310-8789-dd5450dbe970
* Remove krb5_db_set_option and the associated DAL entry. It was notGreg Hudson2010-05-043-12/+0
| | | | | | used. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23965 dc483132-0cff-0310-8789-dd5450dbe970
* Update the LDAP dependencies for r23674Greg Hudson2010-01-272-132/+161
| | | | | | ticket: 6649 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23675 dc483132-0cff-0310-8789-dd5450dbe970
* Get rid of kdb_ext.h and allow out-of-tree KDB pluginsGreg Hudson2010-01-271-1/+0
| | | | | | | | | | | | | Move the contents of kdb_ext.h into kdb.h, since there is no meaningful "extensions" category of DB interfaces now that this stuff is in our tree. Allows out-of-tree KDB plugins to be built since we install kdb.h. ticket: 6649 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23674 dc483132-0cff-0310-8789-dd5450dbe970
* Mark and reindent plugins, except for pkinit, which needs a littleGreg Hudson2009-11-2443-8944/+8738
| | | | | | cleanup first. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23353 dc483132-0cff-0310-8789-dd5450dbe970
* Consolidate Makefile variables now that we have only a single globalGreg Hudson2009-11-225-197/+191
| | | | | | | | | | | | | configure script: $(SRCTOP) --> $(top_srcdir) $(srcdir)/$(thisconfigdir) --> $(top_srcdir) $(thisconfigdir) --> $(BUILDTOP) $(myfulldir) --> $(mydir) ticket: 6583 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23308 dc483132-0cff-0310-8789-dd5450dbe970
* Constrained delegation without PAC supportGreg Hudson2009-11-146-4/+97
| | | | | | | | | | | Merge Luke's users/lhoward/s4u2proxy branch to trunk. Implements a Heimdal-compatible mechanism for allowing constrained delegation without back-end support for PACs. Back-end support exists in LDAP only (via a new krbAllowedToDelegateTo attribute), not DB2. ticket: 6580 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23160 dc483132-0cff-0310-8789-dd5450dbe970
* make mark-cstyleTom Yu2009-10-3126-94/+86
| | | | | | make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
* Account lockoutGreg Hudson2009-10-2514-35/+558
| | | | | | | | | | | | Merge Luke's users/lhoward/lockout2 branch to trunk. Implements account lockout policies for preauth-using principals using existing principal metadata fields and new policy fields. The kadmin API version is bumped from 2 to 3 to compatibly extend the policy_ent_rec structure. ticket: 6577 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23038 dc483132-0cff-0310-8789-dd5450dbe970
* Move destest to builtin/des, because it depends on overriding someTom Yu2009-10-102-101/+109
| | | | | | | | internals. Make depend. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22877 dc483132-0cff-0310-8789-dd5450dbe970
* Supply canonical name if present in LDAP iterationGreg Hudson2009-09-031-5/+6
| | | | | | | | | | | | | In the presence of aliases, LDAP iteration was supplying the first principal it found within the expected realm, which is not necessarily the same as the canonical name. If the entry has a canonical name field, use that in preference to any of the principal names. ticket: 6557 target_version: 1.7.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22710 dc483132-0cff-0310-8789-dd5450dbe970
* Supply LDAP service principal aliases to non-referrals clientsGreg Hudson2009-09-031-1/+25
| | | | | | | | | | | | In the LDAP back end, return aliases when the CLIENT_REFERRALS_ONLY flag isn't set (abusing that flag to recognize a client name lookup). Based on a patch from Luke Howard. ticket: 6556 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22708 dc483132-0cff-0310-8789-dd5450dbe970
* Fix the LDAP build, which was broken by the build reordering inGreg Hudson2009-08-071-3/+8
| | | | | | | | r22406. Build kdb5_util's getdate from the kadmin/cli getdate source, instead of borrowing the object file from the kadmin/cli build directory. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22501 dc483132-0cff-0310-8789-dd5450dbe970
* In ldap_create.c, remove four incorrect uses of krb5_set_error_messageGreg Hudson2009-06-171-10/+3
| | | | | | which resulted in obscured and confusing error diagnostics. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22412 dc483132-0cff-0310-8789-dd5450dbe970
* Restore limited support for static linkingGreg Hudson2009-06-082-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add enough static linking support to run the test suite without shared libraries, to facilitate gcov and other kinds of instrumentation. The necessary changes include: * Undo some of the changes which removed static linking support, and cannibalize the defunct krb5_force_static conditional block in aclocal.m4. * Add --enable-static-only configure option. * For plugins, use a different symbol name for static and dynamic builds, via a macro in k5plugin.h. * Add build machinery for building static libraries for plugins (somewhat grotty due to the difference in names). * Move plugin subdirs earlier in SUBDIRS in src/Makefile.in. * Make the in-tree KDB5 plugins dependencies of libkdb5 in a static build (aclocal.m4 has to know what they are). * In kdb5.c, cannibalize the broken _KDB5_STATIC_LINK support to allow "loading" of statically linked plugin libraries. Preauth, authdata, locate, and GSSAPI plugins are not handled by this change, as they are not currently necessary to the test suite. Supporting GSSAPI plugins may be a bit tricky but the others should be straightforward if they become needed. $(STLIBEXT) changes from .a-nobuild to .a in a normal shared build as a result of these changes (except on AIX where aclocal.m4 changes it). This does not seem to be important as we avoid selecting the static library for building via other means. ticket: 6510 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22406 dc483132-0cff-0310-8789-dd5450dbe970
* Fix minor bug in r21269 - wrong field nameKen Raeburn2009-05-301-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22395 dc483132-0cff-0310-8789-dd5450dbe970
* Add LDAP back end support for canonical name attributeGreg Hudson2009-03-154-7/+78
| | | | | | | | | | | | | Add a krbCanonicalName attribute to the schema. When looking up a principal, if the canonical name is set and does not match the requested name, then return the entry only if canonicalization was requested, and use the entry's canonical name. ticket: 6420 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22090 dc483132-0cff-0310-8789-dd5450dbe970
* Several small fixes to enable the migrate mkey commands to work properly ↵Will Fiveash2009-03-101-45/+0
| | | | | | | | | with a LDAP KDB. See the ticket for more details ticket: 6405 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22073 dc483132-0cff-0310-8789-dd5450dbe970
* Rename kdb_setup_lib_handle to krb5_db_setup_lib_handle and export it.Greg Hudson2009-03-101-8/+6
| | | | | | | | | | | | | Make kdb5_ldap_util work again by calling this function to set up dal_handle instead of using one with an uninitialized lib_handle. It is likely that kdb5_ldap_util will only function given a krb5.conf which specifies a realm with an LDAP database module as the default realm. Not sure if that was the case before. ticket: 6403 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22071 dc483132-0cff-0310-8789-dd5450dbe970
* Use macros for config parametersZhanna Tsitkov2009-02-041-6/+6
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21879 dc483132-0cff-0310-8789-dd5450dbe970
* Remove unnecessary pointer casts in args to free,memcpy,memset,memchr except ↵Ken Raeburn2009-02-024-6/+6
| | | | | | unicode, windows code git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21875 dc483132-0cff-0310-8789-dd5450dbe970
* export new functionsKen Raeburn2009-01-311-0/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21850 dc483132-0cff-0310-8789-dd5450dbe970
* Master Key Migration ProjectWill Fiveash2009-01-309-17/+137
| | | | | | | | | | | | | | | Commit for the Master Key Migration Project. http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration This commit provides the ability to add a new master key (with an enctype differing from the current master key) to the master key principal and stash file and then migrate the encryption of existing principals long term keys to use the new master key. In addition deletion of master keys is provided. ticket: 6354 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21844 dc483132-0cff-0310-8789-dd5450dbe970
* move generated dependencies out of Makefile.inKen Raeburn2009-01-055-260/+290
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Move automatically-generated dependencies into separate files in the source tree, and take the data out of Makefile.in. Keep the "make depend" rules for stripping out the dependencies from Makefile.in, in case some optional directories were missed, but everything that builds on my UNIX build has been converted. (Converting a directory just requires creating an empty "deps" file so that config.status can build the makefile, and then later running "make depend" in that directory to get the correct content for it.) Change configure scripts to incorporate the "deps" file when building each Makefile. This change requires the existence of a file "deps" in each source directory where we build a makefile, even if there are no sources for which to compute dependencies; a switch to GNU make would let us conditionalize that, but we can assess that later. Update dependencies for the generate Makefile itself to list the deps file. This will also require some minor tweaking of the Windows build, to make it incorporate the new deps file. ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21701 dc483132-0cff-0310-8789-dd5450dbe970
* Merge mskrb-integ onto trunkSam Hartman2009-01-033-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | The mskrb-integ branch includes support for the following projects: Projects/Aliases * Projects/PAC and principal APIs * Projects/AEAD encryption API * Projects/GSSAPI DCE * Projects/RFC 3244 In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions. In the KDC it includes support for protocol transition, constrained delegation and a new authorization data interface. The old authorization data interface is also supported. This commit merges the mskrb-integ branch on to the trunk. Additional review and testing is required. Merge commit 'mskrb-integ' into trunk ticket: new status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970
* Add prototype for usage. Change invocation of usage to db_usage when using ↵Ezra Peisach2008-12-293-5/+5
| | | | | | an argument. Include adm_proto.h for prototype for krb5_keysalt_iterate git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21625 dc483132-0cff-0310-8789-dd5450dbe970
* krb4 removal missed ldap kdb plugin directoryEzra Peisach2008-12-291-3/+3
| | | | | | | | The krb4 removal failed to change the makefile in ldap kdb plugin directory. ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21622 dc483132-0cff-0310-8789-dd5450dbe970
* Convert many uses of sprintf to snprintf or asprintfGreg Hudson2008-12-0112-243/+118
| | | | | | | ticket: 6200 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21258 dc483132-0cff-0310-8789-dd5450dbe970
* Rename krb5int_buf_cstr to krb5int_buf_data, since k5bufs can be usedGreg Hudson2008-11-051-1/+1
| | | | | | | | | | | for binary data as well as C string data. The buffer will always have a null byte at krb5int_buf_len bytes regardless of whether it contains C string data. ticket: 6200 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21003 dc483132-0cff-0310-8789-dd5450dbe970
* Convert many uses of strcpy/strcat (and sometimes sprintf) to acceptedGreg Hudson2008-11-051-6/+6
| | | | | | | | | string-handling functions. ticket: 6200 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21001 dc483132-0cff-0310-8789-dd5450dbe970
* Use the k5buf module instead of strcpy/strcat in several placesGreg Hudson2008-10-301-51/+14
| | | | | | | ticket: 6200 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20941 dc483132-0cff-0310-8789-dd5450dbe970
* Change LDAP key-sequence encoder to use a single data structureKen Raeburn2008-10-061-4/+15
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20829 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a few missing-decl, signed/unsigned warningsKen Raeburn2008-10-067-6/+16
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20828 dc483132-0cff-0310-8789-dd5450dbe970
* Merge three patches from Novell, with some updates related to work inKen Raeburn2008-09-229-420/+546
| | | | | | | | | | | | | | | | | | | | | | | | our tree since they were submitted, and reindenting for one source file that got particularly ugly in the process. From Savitha R on 2008-02-18 (yes, it was sitting in my queue a while): Attached patches have fixes for some issues in LDAP backend. 1. patch-mem-pwd.txt This patch clears the password in memory, fixes some memory leaks (in common code) and a segfault in eDirectory specific code. 2. patch-princ-attrs.txt This patch removes some eDirectory specific attributes from the common code 3. patch-edir-rights.txt This patch is specific to eDirectory code and fixes some rights issue. It adds and deletes rights to service objects as required on the kerberos attributes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20744 dc483132-0cff-0310-8789-dd5450dbe970
* Missed some changes for db_context->dal_handle renamingKen Raeburn2008-09-221-3/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20742 dc483132-0cff-0310-8789-dd5450dbe970
* a stash file is not a keytabWill Fiveash2008-08-153-5/+30
| | | | | | | | | Note, this is the commit for the associated Krb Consortium project: Projects/Masterkey Keytab Stash ticket: 194 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20661 dc483132-0cff-0310-8789-dd5450dbe970
* Catch a few more cases of unchecked k5_mutex_lock callsKen Raeburn2008-07-222-7/+13
| | | | | | ticket: 5962 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20567 dc483132-0cff-0310-8789-dd5450dbe970
* Don't set LOCAL_SUBDIRS in many places and SUBDIRS in a few andKen Raeburn2008-07-201-1/+1
| | | | | | | default SUBDIRS to LOCAL_SUBDIRS via pre.in. Instead, just set SUBDIRS in each directory, and don't do anything in pre.in. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20546 dc483132-0cff-0310-8789-dd5450dbe970
* Apply patch from Mark Phalan to correctly use progname instead ofTom Yu2008-07-175-85/+87
| | | | | | | | | | argv[0]. ticket: 6030 tags: pullup target_version: 1.6.4 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20532 dc483132-0cff-0310-8789-dd5450dbe970
* Apply patch from Mark Phalan to initialize progname before useTom Yu2008-07-161-2/+5
| | | | | | | | ticket: 6028 target_version: 1.6.4 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20531 dc483132-0cff-0310-8789-dd5450dbe970
* Change krb5_context.db_context to point to the real structure type,Ken Raeburn2008-06-0210-22/+22
| | | | | | | | and change uses to not cast all the time. Also rename it from db_context to dal_handle, since one of the fields in the pointed-to structure is also called db_context. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20348 dc483132-0cff-0310-8789-dd5450dbe970
* Properly escape - in kdb5_ldap_util man pageRuss Allbery2008-04-281-55/+55
| | | | | | | | | | | | | | | | The LDAP plugin introduced a new man page which has unescaped hyphens. Unicode-aware groffs may convert those to real hyphens rather than the intended ASCII hyphen. This patch adds backslashes in front of all the bare hyphens that I plus Debian's lintian program could find to force interpretation as ASCII hyphens. Ticket: new Component: krb5-doc Version_Reported: 1.6.3 Target_Version: 1.6.4 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20311 dc483132-0cff-0310-8789-dd5450dbe970
* Set close-on-exec flag in most places where file descriptors areKen Raeburn2007-10-224-70/+79
| | | | | | | | | | | | | | | | | | | | | | | | | | | opened in our libraries (in case another application thread spawns a new process) and in the KDC programs (in case a plugin library spawns a new process). Checked calls to: open fopen THREEPARAMOPEN mkstemp socket accept dup dup2 pipe. In: util lib plugins kdc kadmin/server krb524. The various programs are less critical than the libraries, as any well-written plugin that spawns a new process should close all file descriptors it doesn't need to communicate with the new process. This approach also isn't bulletproof, as the call to set the close-on-exec flag is necessarily a separate call from creating the file descriptor, and the fork call could happen in between them. So plugins should be careful regardless of this patch; it will only reduce the window of potential lossage should a plugin be poorly written. (AFAIK there are currently no plugins that spawn processes where this would be a problem.) Update dependencies. ticket: 5561 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20143 dc483132-0cff-0310-8789-dd5450dbe970
* we're not using changelog files any moreKen Raeburn2007-09-242-49/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19971 dc483132-0cff-0310-8789-dd5450dbe970
* Configure libkdb_ldap directory at top levelKen Raeburn2007-05-312-38/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19566 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2026-04-13 14:37:49 +0000