Commit Graph

170 Commits

Author SHA1 Message Date
Simo Sorce
c007ac0d70 Fix MS-PAC checks when using s4u2proxy
We were using the wrong principal in the s4u2proxy case.

Fixes: https://fedorahosted.org/freeipa/ticket/2504
2012-04-03 09:28:50 -04:00
Rob Crittenden
56fa06fec4 Fix failure count interval attribute name in query for password policy.
This was causing the failure count interval to not be applied so
the failure count was never reset to 0.

https://fedorahosted.org/freeipa/ticket/2540
2012-03-29 00:52:25 -04:00
Simo Sorce
735618a1c6 Fix memleak and silence Coverity defects
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.

One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c

Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0

Fixes: https://fedorahosted.org/freeipa/ticket/2488
2012-03-22 17:33:13 +01:00
Martin Kosek
51601ac794 Treat UPGs correctly in winsync replication
IPA winsync plugin failed to replicate users when default user group
was non-posix even though User Private Groups (UPG) were enabled
on the server. Both their uidNumber and gidNumber were empty and
they missed essential object classes. When the default user group
was made posix and UPG was disabled it did not set gidNumber to
the default group gidNumber.

This patch improves this behavior to set gidNumber correctly
according to UPG configuration and the default group status
(posix/non-posix). 4 situations can occur, the following list
specifies what value is assigned to user gidNumber:
 1) Default group posix, UPG enabled: gidNumber = UPG gidNumber
 2) Default group posix, UPG disabled: gidNumber = default
    group gidNumber
 3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
 4) Default group non-posix, UPG disabled: an error is printed to
    the dirsrv log as the gidNumber cannot be retrieved. User
    is replicated in the same way as before this patch, i.e.
    without essential object classes.

https://fedorahosted.org/freeipa/ticket/2436
2012-03-15 09:57:37 +01:00
Simo Sorce
372d67ae81 ipa-kdb: fix delegation acl check
We need to check for a matching acl only if one match hasn't already been
found, otherwise results are unpredictable and order dependent.
2012-02-28 13:03:22 -05:00
Simo Sorce
9942a29cab policy: add function to check lockout policy
Fixes: https://fedorahosted.org/freeipa/ticket/2393
2012-02-19 20:43:45 -05:00
Simo Sorce
8ec98dfcae ipa-kdb: Fix ACL evaluator
Fixes: https://fedorahosted.org/freeipa/ticket/2343
2012-02-20 10:48:59 +01:00
Simo Sorce
d5e4bd5c59 Remove compat defines
These definitions were needed during development to be a le to build against
krb5 version < 1.10
These function headers and defintions are now available in 1.10 that is a hard
dependency for freeipa 3.0, so we can safely drop them.
2012-02-16 14:45:23 -05:00
Simo Sorce
0c6e047128 ipa-kdb: set krblastpwdchange only when keys have been effectively changed 2012-02-15 04:51:15 -05:00
Simo Sorce
c3c59ce15c ipa-kdb: Avoid lookup on modify if possible
This avoids one useless search if we already have the entry_dn.
2012-02-15 04:50:57 -05:00
Simo Sorce
651f932473 ipa-kdb: add AS auditing support
Fixes: https://fedorahosted.org/freeipa/ticket/2334
2012-02-14 18:03:45 -05:00
Martin Kosek
f2cc9c8d33 Improve password change error message
User always receives the same error message if he changes his password
via "ipa passwd" command and the new password fails configured
password policy. He then has to investigate on his own the actual
reason why was the policy violated. This patch improves our SLAPI PWD
plugins to provide a better error message explaining the violation
reason.

https://fedorahosted.org/freeipa/ticket/2067
2012-02-03 17:21:33 +01:00
Simo Sorce
86f908a0e4 slapi-plugins: use thread-safe ldap library 2012-01-13 19:07:47 +02:00
Simo Sorce
91c10419f8 ipa-kdb: Create PAC's KDC checksum with right key
Fixes: https://fedorahosted.org/freeipa/ticket/2170
2012-01-11 17:34:21 -05:00
Simo Sorce
417b9fb9c1 ipa-kdb: Verify the correct checksum in PAC validation
This patch requires a forthcoming change in MIT libraries which allows to pass
NULL for the server_key to the krb5_pac_verify() function.

In most cases we should always only check the KDC checksum to verify the PAC
validity.

The only exception is when we are releasing a ticket to a client from another
realm. In this case the only signature we can check is the server checksum, and
we use the cross-realm key to validate in this case.

The previous code was working for normal cases because the kdc uses the same
key to create the server and the kdc checksum for a TGT, but that is not true
for evidence tickets (s4u2proxy) or cross-realm TGTs.

Fixes: https://fedorahosted.org/freeipa/ticket/2169
2012-01-11 17:34:15 -05:00
Simo Sorce
de0444defe ipa-cldap: Support clients asking for default domain 2012-01-05 09:38:04 -05:00
Sumit Bose
808e75c13d Add a second module init call for newer samba versions 2011-12-09 15:57:49 -05:00
Simo Sorce
771a524525 ipa-kdb: return properly when no PAC is available 2011-12-09 14:20:46 -05:00
Simo Sorce
10264c9ea9 ipa-kdb: Add delgation access control support 2011-12-08 17:18:10 -05:00
Simo Sorce
045c7c123e ipa-kdb: enhance deref searches
Allow to deref more than one attribute.
The attrs searched are the same for all deref attributes at this time.
2011-12-08 17:18:10 -05:00
Simo Sorce
c462314f3c ipa-kdb: Fix copy and paste typo 2011-12-07 21:27:20 -05:00
Sumit Bose
27f02881c1 Make pwd-extop aware of new ipaNTHash attribute 2011-12-06 08:29:53 -05:00
Sumit Bose
edb6ed5007 Add ipasam samba passdb backend
https://fedorahosted.org/freeipa/ticket/1874
2011-12-06 08:29:53 -05:00
Simo Sorce
c3dc08b93f ipa-kdb: fix memleaks in ipa_kdb_mspac.c 2011-12-02 09:49:30 -05:00
Simo Sorce
64dfa1b37e ipa-kdb: Remove unused CFLAGS/LIBS from Makefiles 2011-12-02 09:49:30 -05:00
Simo Sorce
e727dc50cc ipa-kdb: fix free() of uninitialized var 2011-11-29 16:08:59 -05:00
Simo Sorce
ba2e357ba2 ipa-kdb: Support re-signing PAC with different checksum
Fixes: https://fedorahosted.org/freeipa/ticket/2122
2011-11-29 09:28:25 -05:00
Simo Sorce
17cc52a154 ipa-cldap: send cldap reply 2011-11-21 18:52:59 -05:00
Simo Sorce
64ce67523f ipa-cldap: Create netlogon blob 2011-11-21 18:52:59 -05:00
Simo Sorce
046c416e90 ipa-cldap: Decode CLDAP request. 2011-11-21 18:52:59 -05:00
Simo Sorce
d709dcf8f5 ipa-cldap: Implement worker thread. 2011-11-21 18:52:59 -05:00
Simo Sorce
710f435c20 Create skeleton CLDAP server as a DS plugin 2011-11-21 18:52:48 -05:00
Simo Sorce
94a8bc1917 MS-PAC: Add support for verifying PAC in TGS requests
Fake code for now, to be rebased later
2011-11-07 14:25:07 -05:00
Simo Sorce
18537d55a7 Add support for generating PAC for AS requests for user principals 2011-11-07 14:25:07 -05:00
Simo Sorce
9701821227 Fix CID 11027: Wrong sizeof argument
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
ad8c53d584 Fix CID 11026: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
8cc402206a Fix CID 11025: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
ea10ad1851 Fix CID 11024: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
bc3fb1b3a0 Fix CID 11023: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
a49cf51ee2 Fix CID 11022: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
c286278aa9 Fix CID 11020: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
299c91df92 Fix CID 11019: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
8276d5d55f Fix CID 10745: Unchecked return value
https://fedorahosted.org/freeipa/ticket/2036
2011-11-07 11:13:55 -05:00
Simo Sorce
7cca50e9b5 Fix CID 10743: Unchecked return value
https://fedorahosted.org/freeipa/ticket/2036
2011-11-07 11:13:55 -05:00
Simo Sorce
e615bea1be Fix CID 10742: Unchecked return value
https://fedorahosted.org/freeipa/ticket/2036
2011-11-07 11:13:55 -05:00
Simo Sorce
9f07404fe3 ipa-kdb: Fix memory leak 2011-11-03 09:51:30 -04:00
Simo Sorce
f28ab8351f ipa-kdb: Fix legacy password hashes generation
We were not searching for objectclass so the test to se if a user had the
posixAccount attribute was failing and the user was not marked as ipa_user.
This in turn caused us to not synchronize legacy hashes by not trying to store
the userPassword attribute.

Fixes: https://fedorahosted.org/freeipa/ticket/1820
2011-10-06 12:15:05 -04:00
Sumit Bose
3fb40170cb ipa-pwd-extop: allow password change on all connections with SSF>1
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.

https://fedorahosted.org/freeipa/ticket/1877
2011-10-05 17:20:13 +02:00
Simo Sorce
dfc704de25 ipa-kdb: Fix expiration time calculation
Expiration time should be enforced as per policy only for users and only when a
password change occurs, ina ll other cases we should just let kadmin decide
whther it is going to set a password expiration time or just leave it empty.

In general service tickts have strong random passwords so they do not need a
password policy or expiration at all.

https://fedorahosted.org/freeipa/ticket/1839
2011-09-26 10:07:11 +02:00
Simo Sorce
c981627016 ipa-pwd-extop: Enforce old password checks
If a user is changing his own password, then require the old password to be
sent for validation purposes.

https://fedorahosted.org/freeipa/ticket/1814
2011-09-21 18:10:34 -04:00