Commit Graph

408 Commits

Author SHA1 Message Date
Simo Sorce
b1a30bff04 Use asn1c helpers to encode/decode the getkeytab control
Replaces manual encoding with automatically generated code.

Fixes:
https://fedorahosted.org/freeipa/ticket/4718
https://fedorahosted.org/freeipa/ticket/4728

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-11-20 10:52:13 -05:00
Simo Sorce
b170851058 Fix filtering of enctypes in server code.
The filtering was incorrect and would result in always discarding all values.
Also make sure there are no duplicates in the list.

Partial fix for:
https://fedorahosted.org/freeipa/ticket/4718

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-11-20 10:52:13 -05:00
Nathaniel McCallum
79df668b5d Ensure that a password exists after OTP validation
Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.

This patch resolves CVE-2014-7828.

https://fedorahosted.org/freeipa/ticket/4690

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-06 10:56:19 +01:00
Jan Cholasta
4e49f39e1a Fix memory leak in ipa-pwd-extop
Also remove dead code and explicitly mark an ignored return value to prevent
false positives in static code analysis.

https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-05 15:28:27 +01:00
Jan Cholasta
9062dcada4 Fix various bugs in ipa-opt-counter and ipa-otp-lasttoken
Fixes a wrong sizeof argument and unchecked return values.

https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-05 15:28:27 +01:00
Jan Cholasta
701dde3cb3 Fix memory leaks in ipa-extdom-extop
https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-05 15:28:27 +01:00
Jan Cholasta
08ee4a2e6f Fix possible NULL dereference in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-05 15:28:27 +01:00
Jan Cholasta
2a4ba3d3cc DNSSEC: remove container_dnssec_keys
Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-10-21 12:23:39 +02:00
Petr Spacek
276e69de87 DNSSEC: add ipa dnssec daemons
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Sumit Bose
43f8de0c76 extdom: remove unused dependency to libsss_idmap
https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2014-10-21 10:17:54 +02:00
Sumit Bose
0ee8fe11ae extdom: add support for sss_nss_getorigbyname()
https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2014-10-21 10:17:54 +02:00
Nathaniel McCallum
68825e7ac6 Configure IPA OTP Last Token plugin on upgrade
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-20 10:18:47 +02:00
Nathaniel McCallum
41bf0ba940 Create ipa-otp-counter 389DS plugin
This plugin ensures that all counter/watermark operations are atomic
and never decrement. Also, deletion is not permitted.

Because this plugin also ensures internal operations behave properly,
this also gives ipa-pwd-extop the appropriate behavior for OTP
authentication.

https://fedorahosted.org/freeipa/ticket/4493
https://fedorahosted.org/freeipa/ticket/4494

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-20 10:12:36 +02:00
Nathaniel McCallum
915837c14a Move OTP synchronization step to after counter writeback
This prevents synchronization when an authentication collision occurs.

https://fedorahosted.org/freeipa/ticket/4493

Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>
2014-09-30 16:19:06 +02:00
Sumit Bose
3c75b9171e extdom: add support for new version
Currently the extdom plugin is basically used to translate SIDs of AD
users and groups to names and POSIX IDs.

With this patch a new version is added which will return the full member
list for groups and the full list of group memberships for a user.
Additionally the gecos field, the home directory and the login shell of a
user are returned and an optional list of key-value pairs which
currently will contain the SID of the requested object if available.

https://fedorahosted.org/freeipa/ticket/4031

Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2014-09-30 08:29:59 +02:00
Nathaniel McCallum
35ec0f7e3d Use stack allocation when writing values during otp auth
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2014-09-30 08:27:47 +02:00
Sumit Bose
757272a3f8 ipa-kdb: fix unit tests
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2014-09-26 11:28:26 +02:00
Nathaniel McCallum
d3638438fc Add TOTP watermark support
This prevents the reuse of TOTP tokens by recording the last token
interval that was used. This will be replicated as normal. However,
this patch does not increase the number of writes to the database
in the standard authentication case. This is because it also
eliminates an unnecessary write during authentication. Hence, this
patch should be write-load neutral with the existing code.

Further performance enhancement is desired, but is outside the
scope of this patch.

https://fedorahosted.org/freeipa/ticket/4410

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-07-25 10:41:17 +02:00
Lukas Slebodnik
d1d2536375 Add missing break
Wrong error message would be used for in case of
RANGE_CHECK_DIFFERENT_TYPE_IN_DOMAIN. Missing break will cause fall through to
the default section.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-07-14 16:28:59 +02:00
Simo Sorce
d9d5967f7e Fix getkeytab code to always use implicit tagging.
A mixture of implicit and explicit tagging was being used and this caused
a bug in retrieving the enctype number due to the way ber_scanf() loosely
treat sequences and explicit tagging.

The ASN.1 notation used to describe the getkeytab operation uses implicit
tagging, so by changing the code we simply follow to the specified encoding.

Resolves: https://fedorahosted.org/freeipa/ticket/4404

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-27 10:03:23 +02:00
Simo Sorce
5c0e7a5fb4 keytab: Add new extended operation to get a keytab.
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Simo Sorce
88bcf5899c keytabs: Expose and modify key encoding function
Make it available outside of the encoding.c file for use in a follow-up
patch. Add option to not pass a password and generate a random key
instead.

Related:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Simo Sorce
d04746cdea keytabs: Modularize setkeytab operation
In preparation of adding another function to avoid code duplication.

Related:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Nathaniel McCallum
7b15fcd57b Change OTPSyncRequest structure to use OctetString
This change has two motivations:
  1. Clients don't have to parse the string.
  2. Future token types may have new formats.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-25 14:22:01 +02:00
Nathaniel McCallum
8b2f4443dc Periodically refresh global ipa-kdb configuration
Before this patch, ipa-kdb would load global configuration on startup and
never update it. This means that if global configuration is changed, the
KDC never receives the new configuration until it is restarted.

This patch enables caching of the global configuration with a timeout of
60 seconds.

https://fedorahosted.org/freeipa/ticket/4153

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-19 14:50:32 +02:00
Martin Kosek
c41b782bc5 Revert "Check for password expiration in pre-bind"
This reverts commit bfdbd3b6ad.

Forceful validation of password expiration date in a BIND pre-callback
breaks LDAP password change extended operation as the password change
is only allowed via authenticated (bound) channel. Passwords could be
only changed via kadmin protocol. This change would thus break
LDAP-only clients and Web UI password change hook.

This patch will need to be revisited so that unauthenicated corner
cases are also revisited.

https://fedorahosted.org/freeipa/ticket/1539
2014-06-10 08:42:03 +02:00
Simo Sorce
bfdbd3b6ad Check for password expiration in pre-bind
If the password is expired fail a password bind.

Resolves: https://fedorahosted.org/freeipa/ticket/1539
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-09 08:18:16 +02:00
Nalin Dahyabhai
16092c3907 Restore krbCanonicalName handling
When an entry has a krbCanonicalName, if KRB5_KDB_FLAG_ALIAS_OK is set,
rewrite the principal name to the canonical value, else error out,
instead of always returning an error if the requested name doesn't look
like the canonical one.

https://fedorahosted.org/freeipa/ticket/3966

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-05-30 09:48:05 +02:00
Nalin Dahyabhai
fabd5cd62f Accept any alias, not just the last value
If the entry's krbPrincipalName attribute is multi-valued, accept any of
the values, not just the last one we happen to examine.

https://fedorahosted.org/freeipa/ticket/3966

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-05-30 09:48:05 +02:00
Nathaniel McCallum
58f8ebf491 kdb: Don't provide password expiration when using only RADIUS
If the KDC doesn't use the FreeIPA password for authentication, then it is
futile to provide this information. Doing so will only confuse the user. It
also causes password change dialogues when the password is irrelevant.

https://fedorahosted.org/freeipa/ticket/4299

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-22 16:46:01 +02:00
Tomas Babej
5d78cdf809 ipa-pwd-extop: Deny LDAP binds for accounts with expired principals
Adds a check for krbprincipalexpiration attribute to pre_bind operation
in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is
denied and LDAP_UNWILLING_TO_PERFORM along with the error message is
sent back to the client. Since krbprincipalexpiration attribute is not
mandatory, if there is no value set, the check is passed.

https://fedorahosted.org/freeipa/ticket/3305

Reviewed-By: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-05 18:50:01 +03:00
Tomas Babej
5e5d4818a1 ipa_range_check: Change range_check return values from int to range_check_result_t enum
Using integers for return values that are used for complex casing can be fragile
and typo-prone. Change range_check function to return range_check_result_t enum,
whose values properly describes each of the range_check results.

Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-23 13:18:41 +02:00
Tomas Babej
91d68864d1 ipa_range_check: Fix typo when comparing strings using strcasecmp
Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-04-23 13:16:35 +02:00
Tomas Babej
6c8b40afb5 ipa_range_check: Do not fail when no trusted domain is available
When building the domain to forest root map, we need to take the case
of IPA server having no trusted domains configured at all. Do not abort
the checks, but return an empty map instead.

Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-04-23 13:16:35 +02:00
Tomas Babej
246e722b4f ipa_range_check: Make a new copy of forest_root_id attribute for range_info struct
Not making a new copy of this attribute creates multiple frees caused by multiple
pointers to the same forest_root_id from all the range_info structs for all the
domains belonging to given forest.

Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-04-23 13:16:34 +02:00
Tomas Babej
2c4d41221a ipa_range_check: Connect the new node of the linked list
Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-04-23 13:16:34 +02:00
Tomas Babej
2011392246 ipa_range_check: Use special attributes to determine presence of RID bases
The slapi_entry_attr_get_ulong which is used to get value of the RID base
attributes returns 0 in case the attribute is not set at all. We need
to distinguish this situation from the situation where RID base attributes
are present, but deliberately set to 0.

Otherwise this can cause false negative results of checks in the range_check
plugin.

Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-04-23 13:16:34 +02:00
Tomas Babej
218a261742 Extend ipa-range-check DS plugin to handle range types
The ipa-range-check plugin used to determine the range type depending
on the value of the attributes such as RID or secondary RID base. This
approached caused variety of issues since the portfolio of ID range
types expanded.

The patch makes sure the following rules are implemented:
    * No ID range pair can overlap on base ranges, with exception
      of two ipa-ad-trust-posix ranges belonging to the same forest
    * For any ID range pair of ranges belonging to the same domain:
        * Both ID ranges must be of the same type
        * For ranges of ipa-ad-trust type or ipa-local type:
            * Primary RID ranges can not overlap
        * For ranges of ipa-local type:
            * Primary and secondary RID ranges can not overlap
            * Secondary RID ranges cannot overlap

For the implementation part, the plugin was extended with a domain ID
to forest root domain ID mapping derivation capabilities.

https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-04-08 14:23:18 +02:00
Tomas Babej
8d2b3fe7a7 ipa-range-check: Fix memory leaks when freeing range object
When cleaning the range_info struct, simple free of the struct
is not enough, we have to free contents of char pointers in the
struct as well.

https://fedorahosted.org/freeipa/ticket/4276
2014-04-08 14:23:18 +02:00
Tomas Babej
5a0d52b939 ipa-pwd-extop: Fix memory leak in ipapwd_pre_bind
We need to free the entry before returning from the function.

https://fedorahosted.org/freeipa/ticket/4295
2014-04-08 14:23:18 +02:00
Sumit Bose
c885bc3e49 extdom: do not return results from the wrong domain
Resolves: https://fedorahosted.org/freeipa/ticket/4264
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-25 14:03:05 +01:00
Jason Woods
d6a7923f71 ipa-sam: cache gid to sid and uid to sid requests in idmap cache
Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the
directory service for gid/uid<->sid resolution.

Additionally, this patch further reduces number of queries by:
 - fast fail on uidNumber=0 which doesn't exist in FreeIPA,
 - return fallback group correctly when looking up user primary group as is
   done during init,
 - checking for group objectclass in case insensitive way

Patch by Jason Woods <devel@jasonwoods.me.uk>

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

https://fedorahosted.org/freeipa/ticket/4234
and
https://bugzilla.redhat.com/show_bug.cgi?id=1073829
https://bugzilla.redhat.com/show_bug.cgi?id=1074314

Reviewed-By: Sumit Bose <sbose@redhat.com>
2014-03-12 12:19:06 +01:00
Martin Kosek
740298d120 Avoid passing non-terminated string to is_master_host
When string is not terminated, queries with corrupted base may be sent
to LDAP:

... cn=ipa1.example.com<garbage>,cn=masters...

https://fedorahosted.org/freeipa/ticket/4214

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-03-11 16:55:01 +01:00
Alexander Bokovoy
4048d412f2 ipa-kdb: do not fetch client principal if it is the same as existing entry
When client principal is the same as supplied client entry, don't fetch it
again.

Note that when client principal is not NULL, client entry might be NULL for
cross-realm case, so we need to make sure to not dereference NULL pointer here.

Also fix reverted condition for case when we didn't find the client principal
in the database, preventing a memory leak.

https://fedorahosted.org/freeipa/ticket/4223

Reviewed-By: Sumit Bose <sbose@redhat.com>
2014-03-06 12:28:25 +01:00
Alexander Bokovoy
6b45ec3f31 fix filtering of subdomain-based trust users
https://fedorahosted.org/freeipa/ticket/4207

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2014-03-05 10:40:39 +01:00
Alexander Bokovoy
f7955abdda ipa-kdb: make sure we don't produce MS-PAC in case of authdata flag cleared by admin
When admin clears authdata flag for the service principal, KDC will pass
NULL client pointer (service proxy) to the DAL driver.

Make sure we bail out correctly.

Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2014-02-26 14:19:49 +01:00
Alexander Bokovoy
fb2eca8d1e ipa-kdb: in case of delegation use original client's database entry, not the proxy
https://fedorahosted.org/freeipa/ticket/4195

Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2014-02-26 14:19:48 +01:00
Alexander Bokovoy
9a8f44c09e libotp: do not call internal search for NULL dn
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-02-21 10:27:34 +01:00
Nathaniel McCallum
9f62d0c157 Teach ipa-pwd-extop to respect global ipaUserAuthType settings
https://fedorahosted.org/freeipa/ticket/4105

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 10:26:02 +01:00
Nathaniel McCallum
a51b07c275 Add OTP sync support to ipa-pwd-extop
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 10:26:02 +01:00