| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Fake code for now, to be rebased later
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2037
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2036
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2036
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2036
|
| |
|
|
|
|
|
|
|
|
|
| |
We were not searching for objectclass so the test to se if a user had the
posixAccount attribute was failing and the user was not marked as ipa_user.
This in turn caused us to not synchronize legacy hashes by not trying to store
the userPassword attribute.
Fixes: https://fedorahosted.org/freeipa/ticket/1820
|
|
|
|
|
|
|
| |
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.
https://fedorahosted.org/freeipa/ticket/1877
|
|
|
|
|
|
|
|
|
|
|
| |
Expiration time should be enforced as per policy only for users and only when a
password change occurs, ina ll other cases we should just let kadmin decide
whther it is going to set a password expiration time or just leave it empty.
In general service tickts have strong random passwords so they do not need a
password policy or expiration at all.
https://fedorahosted.org/freeipa/ticket/1839
|
|
|
|
|
|
|
| |
If a user is changing his own password, then require the old password to be
sent for validation purposes.
https://fedorahosted.org/freeipa/ticket/1814
|
| |
|
|
|
|
|
| |
Do not pass an empty buffer to ber_init() as it will assert.
Check before hand and return an error.
|
|
|
|
|
|
|
| |
We do the policy check so we are the only one that can calculate the new
pwd espiration time.
Fixes: https://fedorahosted.org/freeipa/ticket/1793
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1370
|
|
|
|
|
|
| |
Fix "The the" and "classses" in FreeIPA code and messages.
https://fedorahosted.org/freeipa/ticket/1480
|
|
|
|
|
|
| |
Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.
|
|
|
|
|
|
|
| |
Although the proper values for booleans from LDAP should be only uppercase,
389ds does allow wrong cased values without complaining. And we still have some
places where the wrong case is used.
Avoid getting frustrating errors when reading these values out.
|
|
|
|
|
|
|
| |
Prevent the ipa-pwd-extop plugin from re-generating keys when kadimn is storing
a new set of keys. Only generate the userPassword and sambaXXPassword hashes.
Also avoid checking policies in this case and if history is provided avoid
regenerating the passwordHistory too.
|
|
|
|
| |
Use default policy for new principals created by kadmin
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Initialize module also on ipadb_create invocation. This is what
kdb5_util expects.
|
|
|
|
| |
limit exported symbols only to the ones actually needed by krb5kdc
|
| |
|
|
|
|
| |
It is going to be used by the ipa-kdb module too.
|
|
|
|
| |
Also to be used by ipa-kdb
|
|
|
|
| |
This way we can reuse the same code from ipa-kdb later
|
|
|
|
| |
This removes custom structures and allows easier sharing of code with ipa-kdb
|
| |
|
|
|
|
|
|
|
|
| |
Setting 0 will work as MIT KDCs assume the current master key when that is
found. But it is a legacy compatibility mode and we should instead set the
proper mkvno number on keys so changeing master key becomes possible w/o
having to do a dump reload and stopping the service. This is especially
important in replicated environments.
|
|
|
|
|
| |
mkvno is actually available as part of the key material.
There is no need to store it in the krbExtraData field as it is unused there.
|
| |
|
| |
|