summaryrefslogtreecommitdiffstats
path: root/daemons
Commit message (Collapse)AuthorAgeFilesLines
* kdb: Don't provide password expiration when using only RADIUSNathaniel McCallum2014-05-221-0/+4
| | | | | | | | | | If the KDC doesn't use the FreeIPA password for authentication, then it is futile to provide this information. Doing so will only confuse the user. It also causes password change dialogues when the password is irrelevant. https://fedorahosted.org/freeipa/ticket/4299 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-pwd-extop: Deny LDAP binds for accounts with expired principalsTomas Babej2014-05-051-1/+34
| | | | | | | | | | | | | Adds a check for krbprincipalexpiration attribute to pre_bind operation in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is denied and LDAP_UNWILLING_TO_PERFORM along with the error message is sent back to the client. Since krbprincipalexpiration attribute is not mandatory, if there is no value set, the check is passed. https://fedorahosted.org/freeipa/ticket/3305 Reviewed-By: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa_range_check: Change range_check return values from int to ↵Tomas Babej2014-04-231-16/+26
| | | | | | | | | | | | range_check_result_t enum Using integers for return values that are used for complex casing can be fragile and typo-prone. Change range_check function to return range_check_result_t enum, whose values properly describes each of the range_check results. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipa_range_check: Fix typo when comparing strings using strcasecmpTomas Babej2014-04-231-4/+4
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa_range_check: Do not fail when no trusted domain is availableTomas Babej2014-04-231-2/+10
| | | | | | | | | | When building the domain to forest root map, we need to take the case of IPA server having no trusted domains configured at all. Do not abort the checks, but return an empty map instead. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa_range_check: Make a new copy of forest_root_id attribute for range_info ↵Tomas Babej2014-04-231-1/+1
| | | | | | | | | | | | struct Not making a new copy of this attribute creates multiple frees caused by multiple pointers to the same forest_root_id from all the range_info structs for all the domains belonging to given forest. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa_range_check: Connect the new node of the linked listTomas Babej2014-04-231-0/+1
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa_range_check: Use special attributes to determine presence of RID basesTomas Babej2014-04-231-9/+21
| | | | | | | | | | | | | | The slapi_entry_attr_get_ulong which is used to get value of the RID base attributes returns 0 in case the attribute is not set at all. We need to distinguish this situation from the situation where RID base attributes are present, but deliberately set to 0. Otherwise this can cause false negative results of checks in the range_check plugin. Part of: https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Extend ipa-range-check DS plugin to handle range typesTomas Babej2014-04-081-40/+260
| | | | | | | | | | | | | | | | | | | | | | | | | The ipa-range-check plugin used to determine the range type depending on the value of the attributes such as RID or secondary RID base. This approached caused variety of issues since the portfolio of ID range types expanded. The patch makes sure the following rules are implemented: * No ID range pair can overlap on base ranges, with exception of two ipa-ad-trust-posix ranges belonging to the same forest * For any ID range pair of ranges belonging to the same domain: * Both ID ranges must be of the same type * For ranges of ipa-ad-trust type or ipa-local type: * Primary RID ranges can not overlap * For ranges of ipa-local type: * Primary and secondary RID ranges can not overlap * Secondary RID ranges cannot overlap For the implementation part, the plugin was extended with a domain ID to forest root domain ID mapping derivation capabilities. https://fedorahosted.org/freeipa/ticket/4137 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-range-check: Fix memory leaks when freeing range objectTomas Babej2014-04-081-4/+12
| | | | | | | | When cleaning the range_info struct, simple free of the struct is not enough, we have to free contents of char pointers in the struct as well. https://fedorahosted.org/freeipa/ticket/4276
* ipa-pwd-extop: Fix memory leak in ipapwd_pre_bindTomas Babej2014-04-081-0/+1
| | | | | | We need to free the entry before returning from the function. https://fedorahosted.org/freeipa/ticket/4295
* extdom: do not return results from the wrong domainSumit Bose2014-03-251-0/+12
| | | | | Resolves: https://fedorahosted.org/freeipa/ticket/4264 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-sam: cache gid to sid and uid to sid requests in idmap cacheJason Woods2014-03-121-14/+114
| | | | | | | | | | | | | | | | | | | | | | Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the directory service for gid/uid<->sid resolution. Additionally, this patch further reduces number of queries by: - fast fail on uidNumber=0 which doesn't exist in FreeIPA, - return fallback group correctly when looking up user primary group as is done during init, - checking for group objectclass in case insensitive way Patch by Jason Woods <devel@jasonwoods.me.uk> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> https://fedorahosted.org/freeipa/ticket/4234 and https://bugzilla.redhat.com/show_bug.cgi?id=1073829 https://bugzilla.redhat.com/show_bug.cgi?id=1074314 Reviewed-By: Sumit Bose <sbose@redhat.com>
* Avoid passing non-terminated string to is_master_hostMartin Kosek2014-03-111-1/+2
| | | | | | | | | | | When string is not terminated, queries with corrupted base may be sent to LDAP: ... cn=ipa1.example.com<garbage>,cn=masters... https://fedorahosted.org/freeipa/ticket/4214 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-kdb: do not fetch client principal if it is the same as existing entryAlexander Bokovoy2014-03-061-6/+13
| | | | | | | | | | | | | | | When client principal is the same as supplied client entry, don't fetch it again. Note that when client principal is not NULL, client entry might be NULL for cross-realm case, so we need to make sure to not dereference NULL pointer here. Also fix reverted condition for case when we didn't find the client principal in the database, preventing a memory leak. https://fedorahosted.org/freeipa/ticket/4223 Reviewed-By: Sumit Bose <sbose@redhat.com>
* fix filtering of subdomain-based trust usersAlexander Bokovoy2014-03-051-9/+32
| | | | | | https://fedorahosted.org/freeipa/ticket/4207 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipa-kdb: make sure we don't produce MS-PAC in case of authdata flag cleared ↵Alexander Bokovoy2014-02-261-0/+8
| | | | | | | | | | | | by admin When admin clears authdata flag for the service principal, KDC will pass NULL client pointer (service proxy) to the DAL driver. Make sure we bail out correctly. Reviewed-By: Tomáš Babej <tbabej@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipa-kdb: in case of delegation use original client's database entry, not the ↵Alexander Bokovoy2014-02-261-2/+7
| | | | | | | | | proxy https://fedorahosted.org/freeipa/ticket/4195 Reviewed-By: Tomáš Babej <tbabej@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* libotp: do not call internal search for NULL dnAlexander Bokovoy2014-02-211-1/+6
| | | | Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Teach ipa-pwd-extop to respect global ipaUserAuthType settingsNathaniel McCallum2014-02-217-406/+398
| | | | | | https://fedorahosted.org/freeipa/ticket/4105 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP sync support to ipa-pwd-extopNathaniel McCallum2014-02-219-970/+373
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP last token pluginNathaniel McCallum2014-02-216-0/+219
| | | | | | | | | | This plugin prevents the deletion or deactivation of the last valid token for a user. This prevents the user from migrating back to single factor authentication once OTP has been enabled. Thanks to Mark Reynolds for helping me with this patch. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-7/+36
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add support to ipa-kdb for keyless principalsNathaniel McCallum2014-02-191-0/+18
| | | | | | https://fedorahosted.org/freeipa/ticket/3779 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add libotp internal library for slapi pluginsNathaniel McCallum2014-02-148-0/+970
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Enable building in C99 modeNathaniel McCallum2014-02-141-1/+1
| | | | | | | | | | | | | C99 is supported on all compilers we target and provides some useful features, including: * Standard struct initializers * Compound literals * For-loop declarations * Standard bool type * Variable arrays (use with caution) * Too many others to mention... Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-kdb: validate that an OTP user has tokensNathaniel McCallum2014-02-143-25/+135
| | | | | | | | | | | | This handles the case where a user is configured for OTP in ipaUserAuthType, but the user has not yet created any tokens. Until the user creates tokens, the user should still be able to log in via password. This logic already exists in LDAP, but ipa-kdb needs to perform the same validation to know what data to return to the KDC. https://fedorahosted.org/freeipa/ticket/4154 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Move ipa-otpd socket directoryNathaniel McCallum2014-02-113-6/+6
| | | | | https://fedorahosted.org/freeipa/ticket/4167 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipa-lockout: do not fail when default realm cannot be readMartin Kosek2014-02-041-17/+17
| | | | | | | | | | | When ipa-lockout plugin is started during FreeIPA server installation, the default realm may not be available and plugin should then not end with failure. Similarly to other plugins, start in degraded mode in this situation. Operation is fully restored during the final services restart. https://fedorahosted.org/freeipa/ticket/4085
* Fallback to global policy in ipa-lockout pluginMartin Kosek2014-02-031-0/+34
| | | | | | | | | | krbPwdPolicyReference is no longer filled default users. Instead, plugins fallback to hardcoded global policy reference. Fix ipa-lockout plugin to fallback to it instead of failing to apply the policy. https://fedorahosted.org/freeipa/ticket/4085
* BUILD: Fix portability of NSS in file ipa_pwd.cLukas Slebodnik2014-01-282-1/+4
| | | | Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
* CLDAP: add unit tests for make_netbios_nameSumit Bose2014-01-232-0/+87
|
* CLDAP: generate NetBIOS name like ipa-adtrust-install doesSumit Bose2014-01-232-14/+35
| | | | Fixes https://fedorahosted.org/freeipa/ticket/4116
* ipasam: delete trusted child domains before removing the trustAlexander Bokovoy2014-01-211-1/+44
| | | | | | | LDAP protocol doesn't allow deleting non-leaf entries. One needs to remove all leaves first before removing the tree node. https://fedorahosted.org/freeipa/ticket/4126
* Harmonize policy discovery to kdb driverSimo Sorce2014-01-161-89/+17
| | | | | | | | | | | The KDB driver does not walk the tree back like the original password plugin. Also we do not store the default policy in the base DN as we used to do in the past anymore. So doing a full subtree search and walking back the tree is just a waste of time. Instead hardcode the default policy like we do in the kdb driver. Fixes: https://fedorahosted.org/freeipa/ticket/4085
* CLDAP: do not prepend \\Sumit Bose2014-01-151-1/+1
| | | | | | | | | For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in the PDC NetBIOS name. In general AD seems to be smart enough to handle the two \ signs. But if the NetBIOS name reaches the maximum of 15 character AD does not accept the responses anymore. Fixes https://fedorahosted.org/freeipa/ticket/4028
* Use /usr/bin/python2Xiao-Long Chen2014-01-031-1/+1
| | | | | | | | | | | | Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com
* ipa-cldap: Cut NetBIOS name after 15 charactersTomas Babej2013-12-112-1/+6
| | | | | | | | The CLDAP DS plugin uses the uppercased first segment of the fully qualified hostname as the NetBIOS name. We need to limit its size to 15 characters. https://fedorahosted.org/freeipa/ticket/4028
* Remove CFLAGS duplication.Jan Cholasta2013-12-0614-16/+3
| | | | https://fedorahosted.org/freeipa/ticket/3896
* Fix compilation error in ipa-cldap.Jan Cholasta2013-12-061-1/+3
| | | | https://fedorahosted.org/freeipa/ticket/3896
* Include LDFLAGS provided by rpmbuild in global LDFLAGS in the spec file.Jan Cholasta2013-12-061-1/+1
| | | | | | Remove explicitly specified hardening flags from LDFLAGS in ipa-otpd. https://fedorahosted.org/freeipa/ticket/3896
* Clarify error message about IPv6 socket creation in ipa-cldap pluginPetr Spacek2013-12-031-1/+2
| | | | https://fedorahosted.org/freeipa/ticket/4056
* Use hardening flags for ipa-optd.Jan Cholasta2013-12-021-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/4010
* Add krbticketPolicyAux objectclass if neededSimo Sorce2013-11-262-0/+35
| | | | | | When modifying ticket flags add the objectclass to the object if it is missing. https://fedorahosted.org/freeipa/ticket/3901
* Remove generation and handling of LM hashesSumit Bose2013-11-015-81/+22
| | | | https://fedorahosted.org/freeipa/ticket/3795
* Remove ipa-pwd-extop and ipa-enrollment duplicate error stringsMartin Kosek2013-10-302-11/+17
| | | | | | | Some error strings were duplicate which makes it then harder to see what is the real root cause of it. https://fedorahosted.org/freeipa/ticket/3988
* Administrative password change does not respect password policyMartin Kosek2013-10-171-15/+29
| | | | | | | | | When Directory Manager or a PassSync agent is changing a password, it is not being expired, but standard expiration time should apply. However, default expiration time was always applied (90 days) even though administrator may have a custom policy for the user. https://fedorahosted.org/freeipa/ticket/3968
* Use the right attribute with ipapwd_entry_checks for MagicRegenSumit Bose2013-10-081-1/+2
| | | | | | | | | | | | | There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos key is available for the corresponding user. This is typically triggered by samba via the ipa_sam passdb plugin. The principal used by samba to connect to the IPA directory server has the right to modify ipaNTHash but no other password attribute. This means that the current check on the userPassword attribute is too strict for this case and leads to a failure of the whole operation. With this patch the access right on ipaNTHash are checked if no other password operations are requested.
* ipa-kdb: Handle parent-child relationship for subdomainsAlexander Bokovoy2013-10-041-10/+99
| | | | | | | | | | | | | | | | | When MS-PAC information is re-initialized, record also parent-child relationship between trust root level domain and its subdomains. Use parent incoming SID black list to check if child domain is not allowed to access IPA realm. We also should really use 'cn' of the entry as domain name. ipaNTTrustPartner has different meaning on wire, it is an index pointing to the parent domain of the domain and will be 0 for top level domains or disjoint subdomains of the trust. Finally, trustdomain-enable and trustdomain-disable commands should force MS-PAC cache re-initalization in case of black list change. Trigger that by asking for cross-realm TGT for HTTP service.
* KDC: implement transition check for trusted domainsAlexander Bokovoy2013-10-043-2/+68
| | | | | | | | | | | | When client principal requests for a ticket for a server principal and we have to perform transition, check that all three belong to either our domain or the domains we trust through forest trusts. In case all three realms (client, transition, and server) match trusted domains and our domain, issue permission to transition from client realm to server realm. Part of https://fedorahosted.org/freeipa/ticket/3909
generated by cgit (git 2.34.1) at 2024-05-05 08:25:10 +0000