This reverts commit bfdbd3b6ad.
Forceful validation of password expiration date in a BIND pre-callback
breaks LDAP password change extended operation as the password change
is only allowed via authenticated (bound) channel. Passwords could be
only changed via kadmin protocol. This change would thus break
LDAP-only clients and Web UI password change hook.
This patch will need to be revisited so that unauthenicated corner
cases are also revisited.
https://fedorahosted.org/freeipa/ticket/1539
If the password is expired fail a password bind.
Resolves: https://fedorahosted.org/freeipa/ticket/1539
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Adds a check for krbprincipalexpiration attribute to pre_bind operation
in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is
denied and LDAP_UNWILLING_TO_PERFORM along with the error message is
sent back to the client. Since krbprincipalexpiration attribute is not
mandatory, if there is no value set, the check is passed.
https://fedorahosted.org/freeipa/ticket/3305
Reviewed-By: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Using integers for return values that are used for complex casing can be fragile
and typo-prone. Change range_check function to return range_check_result_t enum,
whose values properly describes each of the range_check results.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When building the domain to forest root map, we need to take the case
of IPA server having no trusted domains configured at all. Do not abort
the checks, but return an empty map instead.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Not making a new copy of this attribute creates multiple frees caused by multiple
pointers to the same forest_root_id from all the range_info structs for all the
domains belonging to given forest.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The slapi_entry_attr_get_ulong which is used to get value of the RID base
attributes returns 0 in case the attribute is not set at all. We need
to distinguish this situation from the situation where RID base attributes
are present, but deliberately set to 0.
Otherwise this can cause false negative results of checks in the range_check
plugin.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The ipa-range-check plugin used to determine the range type depending
on the value of the attributes such as RID or secondary RID base. This
approached caused variety of issues since the portfolio of ID range
types expanded.
The patch makes sure the following rules are implemented:
* No ID range pair can overlap on base ranges, with exception
of two ipa-ad-trust-posix ranges belonging to the same forest
* For any ID range pair of ranges belonging to the same domain:
* Both ID ranges must be of the same type
* For ranges of ipa-ad-trust type or ipa-local type:
* Primary RID ranges can not overlap
* For ranges of ipa-local type:
* Primary and secondary RID ranges can not overlap
* Secondary RID ranges cannot overlap
For the implementation part, the plugin was extended with a domain ID
to forest root domain ID mapping derivation capabilities.
https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When cleaning the range_info struct, simple free of the struct
is not enough, we have to free contents of char pointers in the
struct as well.
https://fedorahosted.org/freeipa/ticket/4276
This plugin prevents the deletion or deactivation of the last
valid token for a user. This prevents the user from migrating
back to single factor authentication once OTP has been enabled.
Thanks to Mark Reynolds for helping me with this patch.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When ipa-lockout plugin is started during FreeIPA server installation,
the default realm may not be available and plugin should then not end
with failure.
Similarly to other plugins, start in degraded mode in this situation.
Operation is fully restored during the final services restart.
https://fedorahosted.org/freeipa/ticket/4085
krbPwdPolicyReference is no longer filled default users. Instead, plugins
fallback to hardcoded global policy reference.
Fix ipa-lockout plugin to fallback to it instead of failing to apply
the policy.
https://fedorahosted.org/freeipa/ticket/4085
The KDB driver does not walk the tree back like the original password plugin.
Also we do not store the default policy in the base DN as we used to do in the
past anymore.
So doing a full subtree search and walking back the tree is just a waste of
time.
Instead hardcode the default policy like we do in the kdb driver.
Fixes: https://fedorahosted.org/freeipa/ticket/4085
For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in
the PDC NetBIOS name. In general AD seems to be smart enough to handle
the two \ signs. But if the NetBIOS name reaches the maximum of 15
character AD does not accept the responses anymore.
Fixes https://fedorahosted.org/freeipa/ticket/4028
The CLDAP DS plugin uses the uppercased first segment of the fully
qualified hostname as the NetBIOS name. We need to limit its size
to 15 characters.
https://fedorahosted.org/freeipa/ticket/4028
When Directory Manager or a PassSync agent is changing a password,
it is not being expired, but standard expiration time should apply.
However, default expiration time was always applied (90 days)
even though administrator may have a custom policy for the user.
https://fedorahosted.org/freeipa/ticket/3968
There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos
key is available for the corresponding user. This is typically triggered
by samba via the ipa_sam passdb plugin. The principal used by samba to
connect to the IPA directory server has the right to modify ipaNTHash
but no other password attribute. This means that the current check on
the userPassword attribute is too strict for this case and leads to a
failure of the whole operation.
With this patch the access right on ipaNTHash are checked if no other
password operations are requested.
Currently the CLDAP plugin determines the IPA domain name by reading
the current host name and splitting of the domain part. But since an IPA
server does not have to be in a DNS domain which has the same name as
the IPA domain this may fail. The domain name was used to search the
ipaNTDomainAttrs object, but since this object is unique in the tree it
is sufficient to use the objectclass in the search filter. Now the IPA
domain can be read from the ipaNTDomainAttrs object as well.
Fixes https://fedorahosted.org/freeipa/ticket/3941
There is no risk of crash here as slapi_valueset_first_value() can handle
the case where the valueset is NULL, but there is no point in calling that
if we know there are no values.
https://fedorahosted.org/freeipa/ticket/3880
extdom plugin handles external operation over which SSSD asks IPA server about
trusted domain users not found through normal paths but detected to belong
to the trusted domains associated with IPA realm.
SSSD expects that user or group name in the response will be unqualified
because domain name for the user or group is also included in the response.
Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully
qualified name which includes the domain name we are asked to handle.
The code already expects that fully-qualified names are following user@domain
convention so we are simply tracking whether '@' symbol is present and is followed
by the domain name.
With the new ipa_server_mode SSSD is able to read user and group data
from trusted AD domains directly and makes this data available via the
NSS responder. With this mode enabled winbind is not needed anymore to
lookup users and groups of trusted domains.
This patch removed the calls to winbind from the extdom plugin and
replaces them with standard POSIX calls like getpwnam() and calls from
libsss_nss_idmap to lookup SIDs.
Fixes https://fedorahosted.org/freeipa/ticket/3637 because now the
extdom plugin does not need to handle idranges anymore, but everything
is done inside SSSD.
This was to resolve a -Werror=format-security error.
ipa_extdom_extop.c: In function 'ipa_extdom_extop':
ipa_extdom_extop.c:144:9: error: format not a string literal and no format
arguments [-Werror=format-security]
Windows DCs return an empty reply when a legal request cannot satisfied.
If we get EINVAL or ENOENT it means the information requested could not be
found or input parameters were bogus.
Always return an empty reply in these cases.
On any other internal error just return, the request may have been legit but we
can't really handle it right now, pretend we never saw it and hope the next
attempt will succeed.
Fixes: https://fedorahosted.org/freeipa/ticket/3639
Signed-off-by: Simo Sorce <simo@redhat.com>
1. Stop using getdomainname() as it is often not properly initialized
2. The code using getdomainname() was not working anyway it was trying to
look at the function call output in hostname which is always empty at that
point.
3. Always check the requested domain matches our own, we cannot reply to
anything else anyway.
Pre-requisite to fix: https://fedorahosted.org/freeipa/ticket/3639
Signed-off-by: Simo Sorce <simo@redhat.com>
Request with a SID as input parameter do not contain the domain name,
hence is must be tried to resolve the SID first before the corresponding
domain can be looked up.
https://fedorahosted.org/freeipa/ticket/3596
The plugin is configured unconditionally (i.e. does not check if
IPA was configured with DNS) as the plugin is needed on all
replicas to prevent objectclass violations due to missing SOA
serial in idnsZone objectclass. The violation could happen if just
one replica configured DNS and added a new zone.
https://fedorahosted.org/freeipa/ticket/3347
Default value "1" is added to replicated idnsZone objects
if idnsSOASerial attribute is missing.
https://fedorahosted.org/freeipa/ticket/3347
Signed-off-by: Petr Spacek <pspacek@redhat.com>
There were several problems:
- A cut-n-paste error where the wrong value was being considered when
an account was administratively unlocked.
- An off-by-one error where LDAP got one extra bind attempt.
- krbPwdPolicyReference wasn't being retrieved as a virtual attribute so
only the global_policy was used.
- The lockout duration wasn't examined in the context of too many failed
logins so wasn't being applied properly.
- Lockout duration wasn't used properly so a user was effectively unlocked
when the failure interval expired.
- krbLastFailedAuth and krbLoginFailedCount are no longer updated past
max failures.
https://fedorahosted.org/freeipa/ticket/3433
The way how unhashed password is stored in the entry was changed in
389-ds-base-1.3.0, it is now stored in an entry extension rather than
in a magic attribute unhashed#user#password. New API using an entry
extension was introduced. ipa-pwd-extop should take advantage of the
new API as the old one will be removed in 389-ds-base-1.3.1.
https://fedorahosted.org/freeipa/ticket/3439
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.
For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.
Tests included
https://fedorahosted.org/freeipa/ticket/2886
Any of the following checks:
- overlap between primary RID range and secondary RID range
- overlap between secondary RID range and secondary RID range
is performed now only if both of the ranges involved are local
domain ranges.
https://fedorahosted.org/freeipa/ticket/3391
Wrap the password change extop in a transaction.
Fix the case where a password is reset and then immediately used. If done
fast enough then the KDC may not detect that the password is expired and
grant access using the expired password rather than prompting for a reset.
https://fedorahosted.org/freeipa/ticket/1064
Ther3 are two global ipaConfig options to disable undesirable writes that
have performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
https://fedorahosted.org/freeipa/ticket/2734
Commands ipa idrange-add / idrange-mod no longer allows the user
to enter primary or secondary rid range such that has non-zero
intersection with primary or secondary rid range of another
existing id range, as this could cause collision.
Unit tests added to test_range_plugin.py
https://fedorahosted.org/freeipa/ticket/3086
The NT Hash is the same thing as the RC4-HMAC key, so we add a function to
extract it from krb5 keys if they are available to avoid forcing a password
change when configuring trust relationships.
The DNA magic value can be arbitrarily changed by admins so we cannot use a
const value to check. And we relly do not need to check at all. If the DNA
plugin is broken and leaves magic values to reach the post-op stage we have
bigger problems. So just simply get rid of this check.
This extop can be used by clients of the IPA domain, e.g. sssd, to
retrieve data from trusted external domains. It can be used e.g. to map
Windows SIDs to user or groups names and back.
A postop plugin is added to create the SID for new created users and
groups. A directory server task allows to set the SID for existing
users and groups.
Fixes https://fedorahosted.org/freeipa/ticket/2825
When we set a password we also need to make sure krbExtraData is set.
If not kadmin will later complain that the object is corrupted at password
change time.
Ticket: https://fedorahosted.org/freeipa/ticket/2764
We currently return LDAP_REFERRAL which causes the mod to fail meaning
that referral entries cannot be changed.
All we really want to do is escape when we don't hvae an entry to modify.
https://fedorahosted.org/freeipa/ticket/2237
IPA winsync plugin failed to replicate users when default user group
was non-posix even though User Private Groups (UPG) were enabled
on the server. Both their uidNumber and gidNumber were empty and
they missed essential object classes. When the default user group
was made posix and UPG was disabled it did not set gidNumber to
the default group gidNumber.
This patch improves this behavior to set gidNumber correctly
according to UPG configuration and the default group status
(posix/non-posix). 4 situations can occur, the following list
specifies what value is assigned to user gidNumber:
1) Default group posix, UPG enabled: gidNumber = UPG gidNumber
2) Default group posix, UPG disabled: gidNumber = default
group gidNumber
3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
4) Default group non-posix, UPG disabled: an error is printed to
the dirsrv log as the gidNumber cannot be retrieved. User
is replicated in the same way as before this patch, i.e.
without essential object classes.
https://fedorahosted.org/freeipa/ticket/2436
User always receives the same error message if he changes his password
via "ipa passwd" command and the new password fails configured
password policy. He then has to investigate on his own the actual
reason why was the policy violated. This patch improves our SLAPI PWD
plugins to provide a better error message explaining the violation
reason.
https://fedorahosted.org/freeipa/ticket/2067
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.
https://fedorahosted.org/freeipa/ticket/1877
Prevent the ipa-pwd-extop plugin from re-generating keys when kadimn is storing
a new set of keys. Only generate the userPassword and sambaXXPassword hashes.
Also avoid checking policies in this case and if history is provided avoid
regenerating the passwordHistory too.
Setting 0 will work as MIT KDCs assume the current master key when that is
found. But it is a legacy compatibility mode and we should instead set the
proper mkvno number on keys so changeing master key becomes possible w/o
having to do a dump reload and stopping the service. This is especially
important in replicated environments.
This can cause problems if a host is enrolled, unenrolled and a password
set. The password will be marked as expired like all new passwords are.
https://fedorahosted.org/freeipa/ticket/1526
We have no visibility into whether an entry has a keytab or not so
krbLastPwdChange is used as a rough guide.
If this value exists during enrollment then it fails because the host
is considered already joined. This was getting set when a OTP was
added to a host that had already been enrolled (e.g. you enroll a host,
unenroll it, set a OTP, then try to re-enroll). The second enrollment
was failing because the enrollment plugin thought it was still
enrolled becaused krbLastPwdChange was set.
https://fedorahosted.org/freeipa/ticket/1357
https://fedorahosted.org/freeipa/ticket/1382
crash in winsync if replaying a MOD and user does not exist in AD
If the AD entry is deleted before the deletion can be synced back to IPA,
and in the meantime an operation is performed on the corresponding
entry in IPA that should be synced to AD, winsync attempts to get the
AD entry and it is empty. This just means the operation will not go
through, and the entry will be deleted when the sync from AD happens.
The IPA winsync plugin needs to handle the case when the ad_entry
is NULL.
https://fedorahosted.org/freeipa/ticket/1379
winsync enables disabled users in AD when the AD entry changes
This was likely broken when ipa switched from using CoS/groups for account
inactivation to using nsAccountLock directly. The code that handled the
account sync in the from AD direction was broken, but was never found before
now because it had not been used. The fix is to correctly set or remove
nsAccountLock.
We need to set uidNumber and gidNumber to the magic values so that DNA can
assign appropriate Ids, otherwise the synchronization of users from AD will
fail with an error about posixAccount requiring a missing (uidNumber)
attribute.
Fixes: https://fedorahosted.org/freeipa/ticket/1020
When the UUID plug-in generates a value that is used in the RDN
of the entry being added, the old DN is free'd and replaced with
the new DN. The problem is that the operation in the pblock holds
a pointer to the old DN address. This can cause other plug-ins to
reference garbage, leading to incorrect results or crashes. This
was causing the attribute uniqueness plug-in to not work correctly,
resulting in duplicate netgroup entries.
The fix is to have the UUID plug-in reset the target DN after
changing the DN of the entry to be added.
ticket 963
Apparently we forgot to check OID consistency between the schema and the
extensions, and we got duplicates.
Technically the schema was done later but it is easier to change the extensions
OIDs than to change the schema of current beta2/rc1 installations.
The only side effect is that older ipa-getkeytab and ipa-join binaries will
fail. So all the admin/client tools must be upgraded at the same time as well
as all the masters (otherwise some will show/accept the new OID while others
won't).
Fixes: https://fedorahosted.org/freeipa/ticket/976
The situation is if during installation /etc/krb5.conf either doesn't
exist or configures no realms then 389-ds won't start up at all, causing
the installation to fail. This will let the server start up in a degraded
mode.
Also need to make the sub_dict in ldapupdate.py handle no realm otherwise
the installation will abort enabling the compat plugin.
ticket 606
The 389-ds replication plugin may not be installed on all platforms
and our replication version plugin will cause 389-ds to not start
if it is loaded and the replication plugin is not. So disable by
default.
When a replica is prepared we check for the replication plugin.
If it exists we will enable the replication version plugin.
Likewise on installation of a replica we check for existence of
the repliation plugin and if it is there then we enable the version
plugin before replication begins.
ticket 918
On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth
and will potentially fail the bind altogether.
On a successful bind it will zero krbLoginFailedCount and set
krbLastSuccessfulAuth.
This will also enforce locked-out accounts.
See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
kerberos lockout.
ticket 343
Mozldap code removed from all sources and configure source script.
Now, IPA will compile even when package mozldap-devel is not
installed on the system.
https://fedorahosted.org/freeipa/ticket/756
This patch fixes several potential memory leaks in ipa-pwd-extop
SLAPI plugin.
Common function ipapwd_gen_hashes() now cleans after itself when
it fails. Other changes are local and self-explanatory.
https://fedorahosted.org/freeipa/ticket/715
Omiting return value of calloc in ipa_pwd_extop.c could lead to
memory access issues when memory is full. This patch adds return
value check.
https://fedorahosted.org/freeipa/ticket/717
Remove the LDAP_DEPRECATED constant and do not use functions that are
marked as deprecated in recent OpenLDAP releases. Also always define
WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that
depend on that constant.
https://fedorahosted.org/freeipa/ticket/576
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
Constant values were assigned to variables gthat would later be freed
with slapi_ch_free_string(). Make copies instead so the free doesn't
blow. Also remove useless tests, as these functions already check for
NULL on their own.
Fixes: https://fedorahosted.org/freeipa/ticket/529
Don't use KRB5_PRIVATE.
The patch implements and uses the following krb5 functions that are
otherwise private in recent MIT Kerberos releases:
* krb5_principal2salt_norealm
* krb5_free_ktypes
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Use a little stricter compilation flags, in particular -Wall and treat
implicit function declarations as errors.
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Consolidate the common logging macros into common/util.h and use them
in SLAPI plugins instead of calling slapi_log_error() directly.
https://fedorahosted.org/freeipa/ticket/408
Signed-off-by: Simo Sorce <ssorce@redhat.com>
The DS guys decided not to expose the DS inetrnal functions used to generate
UUIDs for DS. This means the interface is not guaranteed to be available.
Switch the ipa_uuid plugin to use the system libuuid plugin instead.
NOTE: This causes once again a change in the tring format used for UUIDs.
fixes: https://fedorahosted.org/freeipa/ticket/465
This should make renamed users able to keep using old credentials as the salt
is not derived from the principal name but is always a random quantity.
https://fedorahosted.org/freeipa/ticket/412
If a modify operation does not specify our attribute then we need to short
circuit the loop, otherwise on enforcing we will return an error by mistake if
we are not Directory Manager because generate is false if the attr is not
found.
By setting the enforce flag in the configuration we prevent anyone from storing
arbitrary values and allow only Directory Manager to override the plugin.
Users can only set the value to the magic value (usually 0) to have the uuid
regenerated, and nothing else.
Remove one level of indentation from the main function by jumping
to the end immediately if the configuration list is empty.
Other minor style cleanups.
This attribute is required for samba to properly identify a user has changed
it's password and doesn't need to change it again at next login.
At the same time, if we are forcing a pssword reset we also need to let samba
know the user must change its password.
We were mistakenly removeing the latest password from the passwordHistory
once the max history values were reached. Make sure we remove the oldest one
instead.
Use __func__ in log functions instead of the explicit function name
so that if the function need to be renamed later logs reflect the
change automatically w/o the need to change all occurrences.
Also makes a grep for the function name less noisy avoiding tons of
false positives.
The plugin was getting difficult to read and maintain.
Split it (and apply cosmetic cleanups to some functions) in smaller
pieces that perform specific tasks.
The migration plugin uses a pre-op function to automatically create
kerberos credentials when binding using a password.
The problem is that we do a simple bind when doing password-base
host enrollment. This was causing krbPasswordExpiration to be set
which isn't what we want for hosts. They really shouldn't go through
this code at all.
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
Use a Class of Service template to do per-group password policy. The
design calls for non-overlapping groups but with cospriority we can
still make sense of things.
The password policy entries stored under the REALM are keyed only on
the group name because the MIT ldap plugin can't handle quotes in the
DN. It also can't handle spaces between elements in the DN.
This will create a host service principal and may create a host entry (for
admins). A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.
This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
