| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Translators need to reorder messages to suit the needs of the target
language. The conventional positional format specifiers (e.g. %s %d)
do not permit reordering because their order is tied to the ordering
of the arguments to the printf function. The fix is to use indexed
format specifiers.
https://fedorahosted.org/freeipa/ticket/2596
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.
One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0
Fixes: https://fedorahosted.org/freeipa/ticket/2488
|
| |
|
|
|
|
|
|
| |
Older client machines may request DES keys not supported in newer
KDCs. Thsi was causing the entire request to fail as well as client
enrollment.
https://fedorahosted.org/freeipa/ticket/2424
|
| |
|
|
|
|
|
|
| |
This patch fixes 2 coverity issues:
* ipa-client/config.c: CID 11090: Resource leak
* ipa-client/ipa-getkeytab.c: CID 11018: Unchecked return value
https://fedorahosted.org/freeipa/ticket/2035
|
| |
|
|
|
|
| |
This prevents broken DNS from causing enrollment problems.
https://fedorahosted.org/freeipa/ticket/1693
|
| |
|
|
| |
Some are actual bugs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently we forgot to check OID consistency between the schema and the
extensions, and we got duplicates.
Technically the schema was done later but it is easier to change the extensions
OIDs than to change the schema of current beta2/rc1 installations.
The only side effect is that older ipa-getkeytab and ipa-join binaries will
fail. So all the admin/client tools must be upgraded at the same time as well
as all the masters (otherwise some will show/accept the new OID while others
won't).
Fixes: https://fedorahosted.org/freeipa/ticket/976
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/723
|
| |
|
|
|
|
|
|
| |
Mozldap code removed from all sources and configure source script.
Now, IPA will compile even when package mozldap-devel is not
installed on the system.
https://fedorahosted.org/freeipa/ticket/756
|
| |
|
|
|
|
|
|
| |
This patch fixes 2 situations where a pointer to allocated error
string could be overwritten - which could have resulted in
a memory leak.
https://fedorahosted.org/freeipa/ticket/714
|
| |
|
|
|
|
|
|
|
|
|
|
| |
krb5_init_context return value was not checked. This could lead
to unhandled error issues.
This patch moves the Kerberos context initialization to the
branch where it is needed and handles the error value in a way
that allows program exit in a standard way deallocating all
resources.
https://fedorahosted.org/freeipa/ticket/721
|
| |
|
|
|
|
|
|
|
| |
Remove the LDAP_DEPRECATED constant and do not use functions that are
marked as deprecated in recent OpenLDAP releases. Also always define
WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that
depend on that constant.
https://fedorahosted.org/freeipa/ticket/576
|
| |
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
| |
|
|
|
|
|
| |
Fixes errors about implicit function declaration and moves duplicated
gettext code into a common module. Also silences some warnings.
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
| |
ldap_bind_s is marked as deprecated in new libldap releases.
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Don't use KRB5_PRIVATE.
The patch implements and uses the following krb5 functions that are
otherwise private in recent MIT Kerberos releases:
* krb5_principal2salt_norealm
* krb5_free_ktypes
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add automatic creation of python an C file lists for potfiles
Deletes useless copy of Makefile in install/po
Remove duplicate maintainer-clean target
Add debug target that prints file lists
Unbreak update-po target, merges in patch from John
|
| |
|
|
| |
the code was calling ldap_init, which is a deprecated function, and getting a compilation warning. This version uses the recommended function ldap_initilaize.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using the host service principal one should be able to retrieve a keytab
for other services for the host using ipa-getkeytab. This required a number
of changes:
- allow hosts in the service's managedby to write krbPrincipalKey
- automatically add the host to managedby when a service is created
- fix ipa-getkeytab to return the entire prinicpal and not just the
first data element. It was returning "host" from the service tgt
and not host/ipa.example.com
- fix the display of the managedby attribute in the service plugin
This led to a number of changes in the service unit tests. I took the
opportunity to switch to the Declarative scheme and tripled the number
of tests we were doing. This shed some light on a few bugs in the plugin:
- if a service had a bad usercertificate it was impossible to delete the
service. I made it a bit more flexible.
- I added a summary for the mod and find commands
- has_keytab wasn't being set in the find output
ticket 68
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This will create a host service principal and may create a host entry (for
admins). A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.
This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
|
| |
|
|
| |
463548
|
| |
|
|
|
| |
1. Allow to specify the salt type along with the enctype
2. Allow to specify a password instead of forcing a random secret
|
| |
|
|
| |
unused variables or missing krb5 prototypes.
|
| |
|
|
| |
return in case any encryption type was explicitly requested
|
| |
|
|
|
|
| |
on a separate line so moving it up front makes it easier to find.
443014
|
| |
|
|
|
|
|
|
|
|
|
|
| |
I've been on a crusade (;-) to remove useless if-before-free tests,
so ran a script that spotted some here. I think I removed the first
batch (without braces) automatically, then manually removed the ones
with curly braces around the free statements.
You may well have doubts about the portability of removing those
tests, but as long as you don't care about SunOS4 or earlier, you'll
be fine. I've done similar things for e.g., coreutils, glibc, and git,
and have had no problems.
|
| |
|
|
|
|
|
|
|
| |
FreeIPA relies on RedHat's Directory Server, which uses mozldap.
A FreeIPA build using mozldap would reduce the project's dependencies and
redundant code. In addition, mozldap uses NSS instead of OpenSSL.
This is beneficial for the reasons listed in [1].
[1] http://fedoraproject.org/wiki/FedoraCryptoConsolidation
|
| | |
|
| |
|
|
|
|
| |
Return message on success
Avoid SASL output from being printed
Make sure the man page is up to date
|
| |
|
|
|
| |
we want to have in the keytab.
This superceedes any default enctype.
|
| | |
|
|
|
Following the changelog history from my dev tree, some comments are useful imo
------------------------------------------------------
user: Simo Sorce <ssorce@redhat.com>
date: Fri Dec 21 03:05:36 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Remove remnants of the initial test tool
changeset: 563:4fe574b7bdf1
user: Simo Sorce <ssorce@redhat.com>
date: Fri Dec 21 02:58:37 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
description:
Maybe actually encrypting the keys will help :-)
changeset: 562:488ded41242a
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:53:50 2007 -0500
files: ipa-server/ipa-install/share/Makefile.am ipa-server/ipa-install/share/default-aci.ldif
description:
Fixes
changeset: 561:4518f6f5ecaf
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:53:32 2007 -0500
files: ipa-admintools/Makefile ipa-admintools/ipa-addservice
description:
transform the old ipa-getkeytab in a tool to add services as the new
ipa-getkeytab won't do it (and IMO it makes more sense to keep the
two functions separate anyway).
changeset: 559:25a7f8ee973d
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:48:59 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
description:
Bugfixes
changeset: 558:28fcabe4aeba
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:48:29 2007 -0500
files: ipa-client/configure.ac ipa-client/ipa-client.spec ipa-client/ipa-client.spec.in ipa-client/ipa-getkeytab.c
description:
Configure fixes
Add ipa-getkeytab to spec
Client fixes
changeset: 557:e92a4ffdcda4
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 20:57:10 2007 -0500
files: ipa-client/Makefile.am ipa-client/configure.ac
description:
Try to make ipa-getkeytab build via autotools
changeset: 556:224894175d6b
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 20:35:56 2007 -0500
files: ipa-admintools/ipa-getkeytab ipa-client/ipa-getkeytab.c
description:
Messed a bit with hg commands.
To make it short:
- Remove the python ipa-getkeytab program
- Rename the keytab plugin test program to ipa-getkeytab
- Put the program in ipa-client as it should be distributed with the client
tools
changeset: 555:5e1a068f2e90
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 20:20:40 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Polish the client program
changeset: 554:0a5b19a167cf
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 18:53:49 2007 -0500
files: ipa-server/ipa-install/share/default-aci.ldif ipa-server/ipa-install/share/default-keytypes.ldif ipa-server/ipa-install/share/kdc.conf.template ipa-server/ipa-install/share/kerberos.ldif ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c ipa-server/ipaserver/krbinstance.py
description:
Support retrieving enctypes from LDAP
Filter enctypes
Update test program
changeset: 553:f75d7886cb91
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 00:17:40 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Fix ber generation and remove redundant keys
changeset: 552:0769cafe6dcd
user: Simo Sorce <ssorce@redhat.com>
date: Wed Dec 19 19:31:37 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Avoid stupid segfault
changeset: 551:1acd5fdb5788
user: Simo Sorce <ssorce@redhat.com>
date: Wed Dec 19 18:39:12 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
description:
If ber_peek_tag() returns LBER_ERROR it may just be that we are at the
end of the buffer. Unfortunately ber_scanf is broken in the sense that
it doesn't actually really consider sequence endings (due probably to the fact
they are just representation and do not reflect in the underlieing DER
encoding.)
changeset: 550:e974fb2726a4
user: Simo Sorce <ssorce@redhat.com>
date: Wed Dec 19 18:35:07 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
First shot at the new method
|
