Commit Graph

344 Commits

Author SHA1 Message Date
Sumit Bose
7fb9ca23a1 Allow silent build if available 2012-07-06 13:06:15 +03:00
Alexander Bokovoy
e88049ecee ipasam: improve SASL bind callback
SASL bind callback due to refactoring was referencing local variable which
didn't exist all the time. Fix that by including a copy of service principals
into ipasam long term private struct.

Rework ccache handling to avoid re-initing every time callback is called
2012-07-06 13:06:15 +03:00
Sumit Bose
bdb995194c Add range check preop plugin
To make sure that ID ranges do not overlap this plugin checks new
additions and changes for conflicts with existing ranges.

https://fedorahosted.org/freeipa/ticket/2185
2012-06-29 18:00:58 -04:00
Sumit Bose
876b1ec175 Use lower case names in LDAP to meet freeIPA convention 2012-06-29 11:59:39 +02:00
Sumit Bose
316aac5a8d Add external domain extop DS plugin
This extop can be used by clients of the IPA domain, e.g. sssd, to
retrieve data from trusted external domains. It can be used e.g. to map
Windows SIDs to user or groups names and back.
2012-06-28 13:08:26 +02:00
Sumit Bose
ac6afd31f7 Add configure check for C Unit-Test framework check
The framework can be found at http://check.sourceforge.net.
2012-06-28 08:13:22 +02:00
Sumit Bose
dc3491ea42 Filter groups in the PAC
If one or more of the external groups given in the PAC can be found in
the ipaExternalGroup objects and these objects are members of local
groups, the SIDs of the local groups are added to the PAC.
2012-06-28 08:05:34 +02:00
Sumit Bose
65ad261663 Add sidgen postop and task
A postop plugin is added to create the SID for new created users and
groups. A directory server task allows to set the SID for existing
users and groups.

Fixes https://fedorahosted.org/freeipa/ticket/2825
2012-06-28 08:02:05 +02:00
Alexander Bokovoy
63567479df Add error condition handling to the SASL bind callback in ipasam
https://fedorahosted.org/freeipa/ticket/2877
2012-06-28 08:00:58 +02:00
Alexander Bokovoy
761cb71838 Support requests for DOMAIN$ account for trusted domains in ipasam module
https://fedorahosted.org/freeipa/ticket/2870
2012-06-28 07:57:29 +02:00
Sumit Bose
20fce97dfa ipasam: remove unused struct elements 2012-06-11 12:03:09 +02:00
Sumit Bose
b367c9ee7e Use exop instead of kadmin.local 2012-06-11 09:40:59 +02:00
Simo Sorce
f602ad270d Add support for disabling KDC writes
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734
2012-06-06 22:12:22 -04:00
Alexander Bokovoy
27c24ff7be ipa-sam: update sid_to_id() interface to follow passdb API changes in Samba
Commit a6e29f23f09ba5b6b6d362f7683ae8088bc0ba85 in Samba changed id mapping
API in passdb interface to use 'struct unixid'. The change replaced three arguments
(uid, gid, type) by one (struct unixid). As result, ipa-sam became broken.

Without this change ipa-sam introduces stack corruption in Samba post 4.0.0alpha18
leading to corrupted security context stack as well and then crashing in setgroups(3).
2012-06-07 09:39:10 +02:00
Alexander Bokovoy
bd0d858043 Add trust-related ACIs
A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html

Ticket #1731
2012-06-07 09:39:10 +02:00
Simo Sorce
000bcfe34f ipa-kdb: Add MS-PAC on constrained delegation. 2012-06-07 09:39:10 +02:00
Alexander Bokovoy
cbb1d626b9 Perform case-insensitive searches for principals on TGS requests
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577
2012-06-07 09:39:10 +02:00
Alexander Bokovoy
b32204fccc Add separate attribute to store trusted domain SID
We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.

https://fedorahosted.org/freeipa/ticket/2191
2012-06-07 09:39:09 +02:00
Simo Sorce
43701d2735 Fix setting domain_sid
'sid' is a stack variable, by assigning its address to the domain_sid pointer
we were later referencing grabage (whatever on the stack ha[ppened to be at
that address.
Properly copy the sid and allocate it on the provided memory context.
2012-05-29 18:01:21 -04:00
Rob Crittenden
74293426d9 Normalize uid to lower case in winsync.
This in effect fixes uid, krbPrincipalName and homeDir.

https://fedorahosted.org/freeipa/ticket/2756
2012-05-25 09:49:06 +02:00
Rob Crittenden
560f2ce8bd Check for locked-out user before incrementing lastfail.
If a user become locked due to too many failed logins and then were
unlocked by an administrator, the account would not lock again. This
was caused by two things:

 - We were incrementing the fail counter before checking to see if the
   account was already locked out.
 - The current fail count wasn't taken into consideration when
   deciding if the account is locked.

The sequence was this:

1. Unlocked account, set failcount to 0
2. Failed login, increment failcount
3. Within lastfailed + lockout_duration, still locked. This skips
   update the last_failed date.

So I reversed 2 and 3 and check to see if the fail count exceeds policy.

https://fedorahosted.org/freeipa/ticket/2765
2012-05-18 09:03:22 +02:00
Simo Sorce
46c6ff69ac Fix migration code password setting.
When we set a password we also need to make sure krbExtraData is set.
If not kadmin will later complain that the object is corrupted at password
change time.

Ticket: https://fedorahosted.org/freeipa/ticket/2764
2012-05-17 17:17:42 +02:00
Rob Crittenden
58732a83bc Return LDAP_SUCCESS on mods on a referral entry.
We currently return LDAP_REFERRAL which causes the mod to fail meaning
that referral entries cannot be changed.

All we really want to do is escape when we don't hvae an entry to modify.

https://fedorahosted.org/freeipa/ticket/2237
2012-05-11 08:37:41 +02:00
Simo Sorce
adf16a9b1c Fix theoretical leak discovered by coverity
This was introduced when we started checking the return from
ipadb_get_context() to silence another coverity report.
That condition can never be true in this function but whatever ... let's
silence Coverity once again :)
2012-04-17 15:40:58 -04:00
Simo Sorce
c007ac0d70 Fix MS-PAC checks when using s4u2proxy
We were using the wrong principal in the s4u2proxy case.

Fixes: https://fedorahosted.org/freeipa/ticket/2504
2012-04-03 09:28:50 -04:00
Rob Crittenden
56fa06fec4 Fix failure count interval attribute name in query for password policy.
This was causing the failure count interval to not be applied so
the failure count was never reset to 0.

https://fedorahosted.org/freeipa/ticket/2540
2012-03-29 00:52:25 -04:00
Simo Sorce
735618a1c6 Fix memleak and silence Coverity defects
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.

One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c

Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0

Fixes: https://fedorahosted.org/freeipa/ticket/2488
2012-03-22 17:33:13 +01:00
Martin Kosek
51601ac794 Treat UPGs correctly in winsync replication
IPA winsync plugin failed to replicate users when default user group
was non-posix even though User Private Groups (UPG) were enabled
on the server. Both their uidNumber and gidNumber were empty and
they missed essential object classes. When the default user group
was made posix and UPG was disabled it did not set gidNumber to
the default group gidNumber.

This patch improves this behavior to set gidNumber correctly
according to UPG configuration and the default group status
(posix/non-posix). 4 situations can occur, the following list
specifies what value is assigned to user gidNumber:
 1) Default group posix, UPG enabled: gidNumber = UPG gidNumber
 2) Default group posix, UPG disabled: gidNumber = default
    group gidNumber
 3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
 4) Default group non-posix, UPG disabled: an error is printed to
    the dirsrv log as the gidNumber cannot be retrieved. User
    is replicated in the same way as before this patch, i.e.
    without essential object classes.

https://fedorahosted.org/freeipa/ticket/2436
2012-03-15 09:57:37 +01:00
Simo Sorce
372d67ae81 ipa-kdb: fix delegation acl check
We need to check for a matching acl only if one match hasn't already been
found, otherwise results are unpredictable and order dependent.
2012-02-28 13:03:22 -05:00
Simo Sorce
9942a29cab policy: add function to check lockout policy
Fixes: https://fedorahosted.org/freeipa/ticket/2393
2012-02-19 20:43:45 -05:00
Simo Sorce
8ec98dfcae ipa-kdb: Fix ACL evaluator
Fixes: https://fedorahosted.org/freeipa/ticket/2343
2012-02-20 10:48:59 +01:00
Simo Sorce
d5e4bd5c59 Remove compat defines
These definitions were needed during development to be a le to build against
krb5 version < 1.10
These function headers and defintions are now available in 1.10 that is a hard
dependency for freeipa 3.0, so we can safely drop them.
2012-02-16 14:45:23 -05:00
Simo Sorce
0c6e047128 ipa-kdb: set krblastpwdchange only when keys have been effectively changed 2012-02-15 04:51:15 -05:00
Simo Sorce
c3c59ce15c ipa-kdb: Avoid lookup on modify if possible
This avoids one useless search if we already have the entry_dn.
2012-02-15 04:50:57 -05:00
Simo Sorce
651f932473 ipa-kdb: add AS auditing support
Fixes: https://fedorahosted.org/freeipa/ticket/2334
2012-02-14 18:03:45 -05:00
Martin Kosek
f2cc9c8d33 Improve password change error message
User always receives the same error message if he changes his password
via "ipa passwd" command and the new password fails configured
password policy. He then has to investigate on his own the actual
reason why was the policy violated. This patch improves our SLAPI PWD
plugins to provide a better error message explaining the violation
reason.

https://fedorahosted.org/freeipa/ticket/2067
2012-02-03 17:21:33 +01:00
Simo Sorce
86f908a0e4 slapi-plugins: use thread-safe ldap library 2012-01-13 19:07:47 +02:00
Simo Sorce
91c10419f8 ipa-kdb: Create PAC's KDC checksum with right key
Fixes: https://fedorahosted.org/freeipa/ticket/2170
2012-01-11 17:34:21 -05:00
Simo Sorce
417b9fb9c1 ipa-kdb: Verify the correct checksum in PAC validation
This patch requires a forthcoming change in MIT libraries which allows to pass
NULL for the server_key to the krb5_pac_verify() function.

In most cases we should always only check the KDC checksum to verify the PAC
validity.

The only exception is when we are releasing a ticket to a client from another
realm. In this case the only signature we can check is the server checksum, and
we use the cross-realm key to validate in this case.

The previous code was working for normal cases because the kdc uses the same
key to create the server and the kdc checksum for a TGT, but that is not true
for evidence tickets (s4u2proxy) or cross-realm TGTs.

Fixes: https://fedorahosted.org/freeipa/ticket/2169
2012-01-11 17:34:15 -05:00
Simo Sorce
de0444defe ipa-cldap: Support clients asking for default domain 2012-01-05 09:38:04 -05:00
Sumit Bose
808e75c13d Add a second module init call for newer samba versions 2011-12-09 15:57:49 -05:00
Simo Sorce
771a524525 ipa-kdb: return properly when no PAC is available 2011-12-09 14:20:46 -05:00
Simo Sorce
10264c9ea9 ipa-kdb: Add delgation access control support 2011-12-08 17:18:10 -05:00
Simo Sorce
045c7c123e ipa-kdb: enhance deref searches
Allow to deref more than one attribute.
The attrs searched are the same for all deref attributes at this time.
2011-12-08 17:18:10 -05:00
Simo Sorce
c462314f3c ipa-kdb: Fix copy and paste typo 2011-12-07 21:27:20 -05:00
Sumit Bose
27f02881c1 Make pwd-extop aware of new ipaNTHash attribute 2011-12-06 08:29:53 -05:00
Sumit Bose
edb6ed5007 Add ipasam samba passdb backend
https://fedorahosted.org/freeipa/ticket/1874
2011-12-06 08:29:53 -05:00
Simo Sorce
c3dc08b93f ipa-kdb: fix memleaks in ipa_kdb_mspac.c 2011-12-02 09:49:30 -05:00
Simo Sorce
64dfa1b37e ipa-kdb: Remove unused CFLAGS/LIBS from Makefiles 2011-12-02 09:49:30 -05:00
Simo Sorce
e727dc50cc ipa-kdb: fix free() of uninitialized var 2011-11-29 16:08:59 -05:00
Simo Sorce
ba2e357ba2 ipa-kdb: Support re-signing PAC with different checksum
Fixes: https://fedorahosted.org/freeipa/ticket/2122
2011-11-29 09:28:25 -05:00
Simo Sorce
17cc52a154 ipa-cldap: send cldap reply 2011-11-21 18:52:59 -05:00
Simo Sorce
64ce67523f ipa-cldap: Create netlogon blob 2011-11-21 18:52:59 -05:00
Simo Sorce
046c416e90 ipa-cldap: Decode CLDAP request. 2011-11-21 18:52:59 -05:00
Simo Sorce
d709dcf8f5 ipa-cldap: Implement worker thread. 2011-11-21 18:52:59 -05:00
Simo Sorce
710f435c20 Create skeleton CLDAP server as a DS plugin 2011-11-21 18:52:48 -05:00
Simo Sorce
94a8bc1917 MS-PAC: Add support for verifying PAC in TGS requests
Fake code for now, to be rebased later
2011-11-07 14:25:07 -05:00
Simo Sorce
18537d55a7 Add support for generating PAC for AS requests for user principals 2011-11-07 14:25:07 -05:00
Simo Sorce
9701821227 Fix CID 11027: Wrong sizeof argument
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
ad8c53d584 Fix CID 11026: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
8cc402206a Fix CID 11025: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
ea10ad1851 Fix CID 11024: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
bc3fb1b3a0 Fix CID 11023: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
a49cf51ee2 Fix CID 11022: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
c286278aa9 Fix CID 11020: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
299c91df92 Fix CID 11019: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
8276d5d55f Fix CID 10745: Unchecked return value
https://fedorahosted.org/freeipa/ticket/2036
2011-11-07 11:13:55 -05:00
Simo Sorce
7cca50e9b5 Fix CID 10743: Unchecked return value
https://fedorahosted.org/freeipa/ticket/2036
2011-11-07 11:13:55 -05:00
Simo Sorce
e615bea1be Fix CID 10742: Unchecked return value
https://fedorahosted.org/freeipa/ticket/2036
2011-11-07 11:13:55 -05:00
Simo Sorce
9f07404fe3 ipa-kdb: Fix memory leak 2011-11-03 09:51:30 -04:00
Simo Sorce
f28ab8351f ipa-kdb: Fix legacy password hashes generation
We were not searching for objectclass so the test to se if a user had the
posixAccount attribute was failing and the user was not marked as ipa_user.
This in turn caused us to not synchronize legacy hashes by not trying to store
the userPassword attribute.

Fixes: https://fedorahosted.org/freeipa/ticket/1820
2011-10-06 12:15:05 -04:00
Sumit Bose
3fb40170cb ipa-pwd-extop: allow password change on all connections with SSF>1
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.

https://fedorahosted.org/freeipa/ticket/1877
2011-10-05 17:20:13 +02:00
Simo Sorce
dfc704de25 ipa-kdb: Fix expiration time calculation
Expiration time should be enforced as per policy only for users and only when a
password change occurs, ina ll other cases we should just let kadmin decide
whther it is going to set a password expiration time or just leave it empty.

In general service tickts have strong random passwords so they do not need a
password policy or expiration at all.

https://fedorahosted.org/freeipa/ticket/1839
2011-09-26 10:07:11 +02:00
Simo Sorce
c981627016 ipa-pwd-extop: Enforce old password checks
If a user is changing his own password, then require the old password to be
sent for validation purposes.

https://fedorahosted.org/freeipa/ticket/1814
2011-09-21 18:10:34 -04:00
Marko Myllynen
45aa801952 include <stdint.h> for uintptr_t 2011-09-22 09:42:11 -04:00
Simo Sorce
37836a2e6c ipa-pwd-extop: Fix segfault in password change.
Do not pass an empty buffer to ber_init() as it will assert.
Check before hand and return an error.
2011-09-21 16:05:02 -04:00
Simo Sorce
4167ad01d7 ipa-kdb: Properly set password expiration time.
We do the policy check so we are the only one that can calculate the new
pwd espiration time.

Fixes: https://fedorahosted.org/freeipa/ticket/1793
2011-09-19 12:28:35 -04:00
Rob Crittenden
5371c03c93 The precendence on the modrdn plugin was set in the wrong location.
https://fedorahosted.org/freeipa/ticket/1370
2011-09-13 17:36:59 +02:00
Yuri Chornoivan
1785d0a7c1 Fix typos
Fix "The the" and "classses" in FreeIPA code and messages.

https://fedorahosted.org/freeipa/ticket/1480
2011-09-07 13:20:42 +02:00
Simo Sorce
dfa944da24 daemons: Remove ipa_kpasswd
Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.
2011-08-26 08:26:08 -04:00
Simo Sorce
d8de2d1b7b ipa-kdb: Be flexible
Although the proper values for booleans from LDAP should be only uppercase,
389ds does allow wrong cased values without complaining. And we still have some
places where the wrong case is used.
Avoid getting frustrating errors when reading these values out.
2011-08-26 08:24:50 -04:00
Simo Sorce
35e15f6c91 ipa-pwd-extop: Allow kadmin to set krb keys
Prevent the ipa-pwd-extop plugin from re-generating keys when kadimn is storing
a new set of keys. Only generate the userPassword and sambaXXPassword hashes.
Also avoid checking policies in this case and if history is provided avoid
regenerating the passwordHistory too.
2011-08-26 08:24:50 -04:00
Simo Sorce
0d048d7b49 ipa-kdb: add password policy support
Use default policy for new principals created by kadmin
2011-08-26 08:24:50 -04:00
Simo Sorce
7ea0b5d56e ipa-pwd-extop: Use common password policy code 2011-08-26 08:24:50 -04:00
Simo Sorce
452fcdccdc ipa-kdb: implement change_pwd function 2011-08-26 08:24:49 -04:00
Simo Sorce
49c25dbdf5 ipa-kdb: implement function to retrieve password policies 2011-08-26 08:24:49 -04:00
Simo Sorce
0a4f7960b9 ipa-kdb: Get/Store Master Key directly from LDAP 2011-08-26 08:24:49 -04:00
Simo Sorce
e9e426354f ipa-kdb: add functions to change principals 2011-08-26 08:24:49 -04:00
Simo Sorce
d25370a579 ipa-kdb: add function to iterate over principals 2011-08-26 08:24:49 -04:00
Simo Sorce
2f8caeab48 ipa-kdb: add functions to delete principals 2011-08-26 08:24:49 -04:00
Simo Sorce
8d5c67a9f8 ipa-kdb: add function to free principals 2011-08-26 08:24:49 -04:00
Simo Sorce
abd424889b ipa-kdb: functions to get principal 2011-08-26 08:24:49 -04:00
Simo Sorce
46c803a08d ipa-kdb: add common utility ldap wrapper functions 2011-08-26 08:24:49 -04:00
Simo Sorce
b5ba0f7f48 ipa-kdb: implement get_time function 2011-08-26 08:24:49 -04:00
Simo Sorce
6e010fedaa ipa-kdb: initialize module functions
Initialize module also on ipadb_create invocation. This is what
kdb5_util expects.
2011-08-26 08:24:49 -04:00
Simo Sorce
579a159915 ipa-kdb: add exports file
limit exported symbols only to the ones actually needed by krb5kdc
2011-08-26 08:24:49 -04:00
Simo Sorce
bac6f2dd13 ipa-kdb: Initial plugin skeleton 2011-08-26 08:24:49 -04:00
Simo Sorce
7d41e7b4d4 ipa-pwd-extop: make encsalt parsing function common
It is going to be used by the ipa-kdb module too.
2011-08-26 08:24:49 -04:00
Simo Sorce
eed401306c ipa-pwd-extop: Move encoding in common too
Also to be used by ipa-kdb
2011-08-26 08:24:49 -04:00
Simo Sorce
4928229093 ipa-pwd-extop: Move encryption of keys in common
This way we can reuse the same code from ipa-kdb later
2011-08-26 08:24:49 -04:00
Simo Sorce
b4aab3d98d ipa-pwd-extop: Use common krb5 structs from kdb.h
This removes custom structures and allows easier sharing of code with ipa-kdb
2011-08-26 08:24:49 -04:00
Simo Sorce
672035cbba ipa-pwd-extop: re-indent code using old style 2011-08-26 08:24:49 -04:00
Simo Sorce
229b9a209c ipa-pwd-extop: Use the proper mkvno number in keys
Setting 0 will work as MIT KDCs assume the current master key when that is
found. But it is a legacy compatibility mode and we should instead set the
proper mkvno number on keys so changeing master key becomes possible w/o
having to do a dump reload and stopping the service. This is especially
important in replicated environments.
2011-08-26 08:24:49 -04:00
Simo Sorce
5746bbe92a ipa-pwd-extop: do not append mkvno to krbExtraData
mkvno is actually available as part of the key material.
There is no need to store it in the krbExtraData field as it is unused there.
2011-08-26 08:24:49 -04:00
Simo Sorce
d1cc660db2 ipa-pwd-extop: Remove unused variables and code to set them 2011-08-26 08:24:49 -04:00
Simo Sorce
c42cf02405 ipa-pwd_extop: use endian.h instead of nih function 2011-08-26 08:24:48 -04:00
Simo Sorce
e261c55626 Fix build warnings
Some are actual bugs.
2011-08-26 08:24:48 -04:00
Rob Crittenden
0147ef5b73 Fix thread deadlock by using pthreads library instead of NSPR.
The 389-ds team is in the process of exposing slapi_rwlock which we
will switch to when it is available.

https://fedorahosted.org/freeipa/ticket/1630
2011-08-24 13:57:37 +02:00
Jan Cholasta
a797f907ee Search for users in all the naming contexts present on the directory server.
ticket 1655, 1656
2011-08-22 19:04:29 -04:00
Simo Sorce
6f6679e348 Don't set the password expiration to the current time
This fixes a regression in the previous patch in ticket #1526.
2011-07-31 21:00:45 -04:00
Rob Crittenden
1ebe3c1d12 When setting a host password don't set krbPasswordExpiration.
This can cause problems if a host is enrolled, unenrolled and a password
set. The password will be marked as expired like all new passwords are.

https://fedorahosted.org/freeipa/ticket/1526
2011-07-29 10:27:15 +02:00
Rob Crittenden
a00b03831b Don't set krbLastPwdChange when setting a host OTP password.
We have no visibility into whether an entry has a keytab or not so
krbLastPwdChange is used as a rough guide.

If this value exists during enrollment then it fails because the host
is considered already joined. This was getting set when a OTP was
added to a host that had already been enrolled (e.g. you enroll a host,
unenroll it, set a OTP, then try to re-enroll). The second enrollment
was failing because the enrollment plugin thought it was still
enrolled becaused krbLastPwdChange was set.

https://fedorahosted.org/freeipa/ticket/1357
2011-07-18 19:34:19 -04:00
Rob Crittenden
f534445e26 Reset failed login count to 0 when admin resets password.
https://fedorahosted.org/freeipa/ticket/1441
2011-07-13 10:46:22 +02:00
Rich Megginson
cae6f1511e memory leak in ipa_winsync_get_new_ds_user_dn_cb
The new_dn_string passed into this function is malloc'd.  It
must be freed before we reassign the value.
2011-06-28 00:11:04 -04:00
Rich Megginson
89c67c3ad9 modify user deleted in AD crashes winsync
https://fedorahosted.org/freeipa/ticket/1382
crash in winsync if replaying a MOD and user does not exist in AD
If the AD entry is deleted before the deletion can be synced back to IPA,
and in the meantime an operation is performed on the corresponding
entry in IPA that should be synced to AD, winsync attempts to get the
AD entry and it is empty.  This just means the operation will not go
through, and the entry will be deleted when the sync from AD happens.
The IPA winsync plugin needs to handle the case when the ad_entry
is NULL.
2011-06-28 00:11:04 -04:00
Rich Megginson
d43e87e10c winsync enables disabled users in AD
https://fedorahosted.org/freeipa/ticket/1379
winsync enables disabled users in AD when the AD entry changes
This was likely broken when ipa switched from using CoS/groups for account
inactivation to using nsAccountLock directly.  The code that handled the
account sync in the from AD direction was broken, but was never found before
now because it had not been used.  The fix is to correctly set or remove
nsAccountLock.
2011-06-28 00:11:04 -04:00
Jan Cholasta
16d1db4996 Fix issues found by Coverity.
tickets 1166, 1167, 1168, 1169
2011-05-09 16:23:40 -04:00
Simo Sorce
bb9617f838 Fix resource leaks.
Fixes: https://fedorahosted.org/freeipa/ticket/1119
2011-03-28 14:50:59 -04:00
Simo Sorce
8308efeb14 Fix uninitialized variable.
https://fedorahosted.org/freeipa/ticket/1118
2011-03-24 15:20:03 -04:00
Simo Sorce
09dd05b49a Make activated/inactivated groups optional
directly change nsAccountLock on the entry if they are not used

Fixes: https://fedorahosted.org/freeipa/ticket/1021
2011-03-01 11:02:55 -05:00
Simo Sorce
83549087b5 Fix user synchronization.
We need to set uidNumber and gidNumber to the magic values so that DNA can
assign appropriate Ids, otherwise the synchronization of users from AD will
fail with an error about posixAccount requiring a missing (uidNumber)
attribute.

Fixes: https://fedorahosted.org/freeipa/ticket/1020
2011-03-01 11:02:55 -05:00
Simo Sorce
1d01ea53f1 Unbreak the ipa winsync plugin.
Fix RDN construction.

Fixes: https://fedorahosted.org/freeipa/ticket/1015
2011-03-01 11:02:55 -05:00
Simo Sorce
b3e9cac972 Set the loginShell attribute on winsynced entries if configured
Fixes: https://fedorahosted.org/freeipa/ticket/266
2011-03-01 11:02:55 -05:00
Nathan Kinder
27532f5468 Reset target DN when generated UUID is used as RDN
When the UUID plug-in generates a value that is used in the RDN
of the entry being added, the old DN is free'd and replaced with
the new DN.  The problem is that the operation in the pblock holds
a pointer to the old DN address.  This can cause other plug-ins to
reference garbage, leading to incorrect results or crashes.  This
was causing the attribute uniqueness plug-in to not work correctly,
resulting in duplicate netgroup entries.

The fix is to have the UUID plug-in reset the target DN after
changing the DN of the entry to be added.

ticket 963
2011-02-17 21:36:50 -05:00
Simo Sorce
50318b60ee Fix duplicate OIDs
Apparently we forgot to check OID consistency between the schema and the
extensions, and we got duplicates.

Technically the schema was done later but it is easier to change the extensions
OIDs than to change the schema of current beta2/rc1 installations.

The only side effect is that older ipa-getkeytab and ipa-join binaries will
fail. So all the admin/client tools must be upgraded at the same time as well
as all the masters (otherwise some will show/accept the new OID while others
won't).

Fixes: https://fedorahosted.org/freeipa/ticket/976
2011-02-17 08:38:53 -05:00
Rob Crittenden
c9431749a0 Let 389-ds start up even if Kerboros is not configured yet.
The situation is if during installation /etc/krb5.conf either doesn't
exist or configures no realms then 389-ds won't start up at all, causing
the installation to fail. This will let the server start up in a degraded
mode.

Also need to make the sub_dict in ldapupdate.py handle no realm otherwise
the installation will abort enabling the compat plugin.

ticket 606
2011-02-14 14:07:17 -05:00
Simo Sorce
b46faf9dfc Correctly report if this is a krb related password operation
Fixes: https://fedorahosted.org/freeipa/ticket/949
2011-02-14 13:57:00 -05:00
Simo Sorce
5341a22ba2 Update krbExtraData too when changing passwords.
Fixes: https://fedorahosted.org/freeipa/ticket/937
2011-02-14 13:36:27 -05:00
Rob Crittenden
b77046d550 Disable replication version plugin by default.
The 389-ds replication plugin may not be installed on all platforms
and our replication version plugin will cause 389-ds to not start
if it is loaded and the replication plugin is not. So disable by
default.

When a replica is prepared we check for the replication plugin.
If it exists we will enable the replication version plugin.

Likewise on installation of a replica we check for existence of
the repliation plugin and if it is there then we enable the version
plugin before replication begins.

ticket 918
2011-02-10 13:54:39 -05:00
Rob Crittenden
cf9ec1c427 Update kerberos password policy values on LDAP binds.
On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth
and will potentially fail the bind altogether.

On a successful bind it will zero krbLoginFailedCount and set
krbLastSuccessfulAuth.

This will also enforce locked-out accounts.

See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
kerberos lockout.

ticket 343
2011-01-21 13:59:24 -05:00
Simo Sorce
a44607ecba Fix ipa_uuid to not interfer with proper error reporting
Fixes: https://fedorahosted.org/freeipa/ticket/813
2011-01-19 15:57:57 -05:00
Martin Kosek
bd965c92d8 Mozldap-specific code removed
Mozldap code removed from all sources and configure source script.
Now, IPA will compile even when package mozldap-devel is not
installed on the system.

https://fedorahosted.org/freeipa/ticket/756
2011-01-14 17:33:11 -05:00
Martin Kosek
63e70d052c Potential memory leaks in ipa-kpasswd
This patch fixes 2 situations where a pointer to allocated error
string could be overwritten - which could have resulted in
a memory leak.

https://fedorahosted.org/freeipa/ticket/716
2011-01-14 14:33:32 -05:00
Martin Kosek
c94d20cfd8 Unchecked return values in SLAPI plugins
Return values weren't checked in several cases which could
have lead to unhandled errors.

https://fedorahosted.org/freeipa/ticket/722
2011-01-14 14:20:57 -05:00
Martin Kosek
8173b8e375 Potential memory leaks in ipa-pwd-extop
This patch fixes several potential memory leaks in ipa-pwd-extop
SLAPI plugin.

Common function ipapwd_gen_hashes() now cleans after itself when
it fails. Other changes are local and self-explanatory.

https://fedorahosted.org/freeipa/ticket/715
2011-01-14 14:20:57 -05:00
Rob Crittenden
4da9228fb2 Drop dependency on mozldap 2011-01-12 17:41:53 -05:00
Martin Kosek
bea3999daf Potential NULL dereference in ipapwd_prepost
This patch increases robustness in PRE MOD password SLAPI module
by ensuring that an uninitialized pointer is not dereferenced.

https://fedorahosted.org/freeipa/ticket/719
2011-01-12 11:44:59 -05:00
Martin Kosek
d03ffeabe2 Unchecked return value of calloc
Omiting return value of calloc in ipa_pwd_extop.c could lead to
memory access issues when memory is full. This patch adds return
value check.

https://fedorahosted.org/freeipa/ticket/717
2011-01-12 11:44:08 -05:00
Martin Kosek
eba72c85e8 Uninitialized pointer read in ipa-enrollment
This patch fixes a situation where an uninitialized pointer
is passed to free().

https://fedorahosted.org/freeipa/ticket/713
2011-01-12 11:41:42 -05:00
Jakub Hrozek
8a9fdbfb03 Do not use LDAP_DEPRECATED in plugins
Remove the LDAP_DEPRECATED constant and do not use functions that are
marked as deprecated in recent OpenLDAP releases. Also always define
WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that
depend on that constant.

https://fedorahosted.org/freeipa/ticket/576
2011-01-07 05:00:44 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Simo Sorce
37f48c0019 Make use of mozldap vs openldap for plugins selectable 2010-12-06 12:23:09 -05:00
Jakub Hrozek
df28017eaf Init smods to prevent crash if encode_keys fails 2010-11-29 17:21:17 -05:00
Nalin Dahyabhai
b683c7261b build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches 2010-11-29 11:39:55 -05:00
Simo Sorce
aa70959f16 Fix modrdn plugin crash bug.
Constant values were assigned to variables gthat would later be freed
with slapi_ch_free_string(). Make copies instead so the free doesn't
blow. Also remove useless tests, as these functions already check for
NULL on their own.

Fixes: https://fedorahosted.org/freeipa/ticket/529
2010-11-23 11:40:38 -05:00
Jakub Hrozek
7086c9e863 Silence compilation warnings in SLAPI plugins
Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00
Jakub Hrozek
3b7a86024b Use internal implementation of internal Kerberos functions
Don't use KRB5_PRIVATE.

The patch implements and uses the following krb5 functions that are
otherwise private in recent MIT Kerberos releases:
 * krb5_principal2salt_norealm
 * krb5_free_ktypes

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00
Jakub Hrozek
ce75d1c6d6 Stricter compilation flags
Use a little stricter compilation flags, in particular -Wall and treat
implicit function declarations as errors.

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00
Jakub Hrozek
5da451876e Common include file for SLAPI plugin logging
Consolidate the common logging macros into common/util.h and use them
in SLAPI plugins instead of calling slapi_log_error() directly.

https://fedorahosted.org/freeipa/ticket/408

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00
Simo Sorce
23f03251e0 uuid plugin: convert the plugin to use the libuuid library
The DS guys decided not to expose the DS inetrnal functions used to generate
UUIDs for DS. This means the interface is not guaranteed to be available.
Switch the ipa_uuid plugin to use the system libuuid plugin instead.

NOTE: This causes once again a change in the tring format used for UUIDs.

fixes: https://fedorahosted.org/freeipa/ticket/465
2010-11-15 11:47:27 -05:00
Simo Sorce
7aae58fd2d uuid-plugin: Fix control access bug on replication
Fixes: https://fedorahosted.org/freeipa/ticket/468
2010-11-10 15:34:58 -05:00
Simo Sorce
4f8e4482b3 pwd-plugin: Always use a special salt by default.
This should make renamed users able to keep using old credentials as the salt
is not derived from the principal name but is always a random quantity.

https://fedorahosted.org/freeipa/ticket/412
2010-10-28 17:18:03 -04:00
Simo Sorce
79c39339da pwd-plugin: fix slapi log target in logging functions 2010-10-28 17:17:59 -04:00
Simo Sorce
1bfd0f8791 ipa_uuid: prevent false positives on modifies
If a modify operation does not specify our attribute then we need to short
circuit the loop, otherwise on enforcing we will return an error by mistake if
we are not Directory Manager because generate is false if the attr is not
found.
2010-10-28 07:58:31 -04:00
Simo Sorce
99a7f83c3c ipa_uuid: Handle generation of the uuid when it is a RDN 2010-10-28 07:58:31 -04:00
Simo Sorce
2a141bf2c1 ipa-uuid: Add enforce mode
By setting the enforce flag in the configuration we prevent anyone from storing
arbitrary values and allow only Directory Manager to override the plugin.
Users can only set the value to the magic value (usually 0) to have the uuid
regenerated, and nothing else.
2010-10-28 07:58:31 -04:00
Simo Sorce
7fc6dfbcac ipa-uuid: Code cleanups
Remove one level of indentation from the main function by jumping
to the end immediately if the configuration list is empty.
Other minor style cleanups.
2010-10-28 07:58:31 -04:00
Simo Sorce
1233a7aff3 ipa-uuid: safer unlock handling
This allows the code in the for loop to error out without worrying of
forgetting to unlock the config entries.
2010-10-28 07:58:31 -04:00
Simo Sorce
2d63522d48 ipa-uuid: Reset generate flag at every cycle
Avoid false positives if more than one uuid attribute is generated
in the same entry.
2010-10-28 07:58:31 -04:00
Simo Sorce
56724fa024 ipa-uuid: Remove unused functions 2010-10-28 07:58:31 -04:00
Simo Sorce
3f1293582f ipa-modrdn: Remove unused functions 2010-10-28 07:58:31 -04:00
Simo Sorce
984942ee49 Add new plugin used to modify related attributes after a modrdn operation. 2010-10-28 07:58:31 -04:00
Rob Crittenden
9afedcb683 Error out when configure finds missing dependencies
ticket 315
2010-10-26 15:39:43 -04:00
Simo Sorce
3a05149201 ipa-uuid: DNA-like plugin that generates uuids 2010-10-22 17:22:40 -04:00
Simo Sorce
0c6980bed6 Remove ipa-memberof, memberof plugin is now included in 389 DS 2010-10-15 18:05:56 -04:00
Simo Sorce
016f889a51 Improve logging facilities
Provide simplified logging macros that appropriately use __func__ __FILE__,
__LINE__, or the plugin name depending on the log level.
2010-10-07 11:23:51 -04:00
Simo Sorce
ec33e38e9a pwd-plugin: Fix unresolve symbol
This fixes a har crash when someone tries to fetch a keytab
2010-10-07 11:16:19 -04:00
Simo Sorce
475c064227 When dealing with samba password set also the sambaPwdLastSet
This attribute is required for samba to properly identify a user has changed
it's password and doesn't need to change it again at next login.

At the same time, if we are forcing a pssword reset we also need to let samba
know the user must change its password.
2010-10-07 07:53:36 -04:00
Simo Sorce
ceb91a3f71 Always detect openldap and mozldap at the same time
Slapi plugins must use mozldap because 389 ds is compiled against that.
ipa_kpasswd, instead, should be linked against openldap.
So always make sure both are available.
2010-10-07 07:53:36 -04:00
Simo Sorce
6682b63438 pwd-plugin: Remove the correct password from the history
We were mistakenly removeing the latest password from the passwordHistory
once the max history values were reached. Make sure we remove the oldest one
instead.
2010-10-05 08:54:08 -04:00
Simo Sorce
9cd0330e5d Fix ipapwd_start() style
Trun tabs into quartets of spaces. Fit lines to not exceed 80 columns.
2010-10-05 08:54:08 -04:00
Simo Sorce
c594ab88ba Add options to control NTLM hashes
By default LM hash is disabled.
Of course generation still depends on whether the SamAccount objectclass is
present in the user object.
2010-10-05 08:54:08 -04:00
Simo Sorce
19d3ba9733 pwd-plugin: format/style changes
Use __func__ in log functions instead of the explicit function name
so that if the function need to be renamed later logs reflect the
change automatically w/o the need to change all occurrences.

Also makes a grep for the function name less noisy avoiding tons of
false positives.
2010-10-05 08:52:43 -04:00
Simo Sorce
fea9181eaf pwd-plugin: Remove 14 chars limitation from the NT hash 2010-10-05 08:52:43 -04:00
Simo Sorce
3127df2aee Split ipa_pwd_extop plugin in multiple files
The plugin was getting difficult to read and maintain.
Split it (and apply cosmetic cleanups to some functions) in smaller
pieces that perform specific tasks.
2010-10-01 11:17:40 -04:00
Rob Crittenden
f20f4e6308 Fix for include problems relating to NSS3, NSPR4 and SVRCORE
This addresses some problems trying to build on non-Fedora/RHEL
distributions, notably Gentoo and Ubuntu/Debian.

Patch contributed by Ian Kumlien <pomac@vapor.com>
2010-09-16 13:48:53 -04:00
Rob Crittenden
d0740fb08b Enforce existence of 389-ds header files.
ticket #82
2010-08-06 15:33:49 -04:00
Rob Crittenden
97bd59d869 Include missing file from version plugin and update min version of 389-ds 2010-06-24 17:29:31 -04:00
Rob Crittenden
c5bdfc7193 Don't try to convert a host's password into a keytab.
The migration plugin uses a pre-op function to automatically create
kerberos credentials when binding using a password.

The problem is that we do a simple bind when doing password-base
host enrollment. This was causing krbPasswordExpiration to be set
which isn't what we want for hosts. They really shouldn't go through
this code at all.
2010-06-24 14:24:15 -04:00
Rob Crittenden
09fb073e82 Replication version checking.
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
2010-06-24 10:33:53 -04:00
Rob Crittenden
ba85312bf1 Don't require kerberos principal with the LDAP password change operation.
This was preventing ldappasswd from resetting a password.

471287
2010-04-23 15:22:28 -04:00
Rob Crittenden
c7f50ac7ef Return more specific errors when returning an LDAP_OPERATIONS_ERROR
472332
2010-04-23 15:22:24 -04:00
Pavel Zuna
00b2f240f7 Fix condition bug in ipa-pwd-extop plugin. Variable used uninitialized. 2010-02-04 11:09:59 -05:00
Pavel Zuna
ba0e7b9c68 Add BIND pre-op for DS->IPA password migration to ipa-pwd-extop DS plugin. 2010-01-20 16:53:51 -05:00
root
fd5742cc79 Allow adding entries with pre-hashed passwords, but don't generate keys for them.
Fix bug #528922.
2010-01-20 16:53:41 -05:00
Rob Crittenden
342337a893 No longer use the IPA-specific memberof plugin. Use the DS-supplied one. 2009-10-12 09:37:38 -04:00
Rob Crittenden
dac224c25a Add support for per-group kerberos password policy.
Use a Class of Service template to do per-group password policy. The
design calls for non-overlapping groups but with cospriority we can
still make sense of things.

The password policy entries stored under the REALM are keyed only on
the group name because the MIT ldap plugin can't handle quotes in the
DN. It also can't handle spaces between elements in the DN.
2009-10-05 13:29:55 -06:00
Rob Crittenden
d0587cbdd5 Enrollment for a host in an IPA domain
This will create a host service principal and may create a host entry (for
admins).  A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.

This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
2009-09-24 17:45:49 -06:00
Simo Sorce
24089821fb Check error in kpasswd 2009-07-10 09:42:21 -04:00
Rob Crittenden
d9c4ba5a30 Remove our copy of the DNA plugin and use the one that comes with DS.
The DS plugin does config checking when adding new entries online so
we are dropping the Posix subtree.
2009-03-06 17:37:37 -05:00
Rob Crittenden
2a584ce985 Minor cleanup of configure.ac 2009-02-05 09:32:41 -05:00
Rob Crittenden
d2b1a37aaf Consolidate to a single autogen.sh and remove a redundant make target
Also cheat a little and don't force auto* to require files to exist
2009-02-04 09:04:22 -05:00
Rob Crittenden
2d7e0de5ea Get merged tree into an installalble state.
I have only tested the all, rpms and *clean targets directly.
install may work but the rpm moves a lot of things around for us.

The Apache configuration file isn't in its final state but it works
with the new mod_python configuration.
2009-02-03 15:29:20 -05:00
Rob Crittenden
e30cd6ba42 Mass tree reorganization for IPAv2. To view previous history of files use:
% git log --follow -- <file>

renamed: ipa-server/autogen.sh -> autogen.sh
renamed: ipa-server/ipa-kpasswd/Makefile.am -> daemons/ipa-kpasswd/Makefile.am
renamed: ipa-server/ipa-kpasswd/README -> daemons/ipa-kpasswd/README
renamed: ipa-server/ipa-kpasswd/ipa_kpasswd.c -> daemons/ipa-kpasswd/ipa_kpasswd.c
renamed: ipa-server/ipa-kpasswd/ipa_kpasswd.init -> daemons/ipa-kpasswd/ipa_kpasswd.init
renamed: ipa-server/ipa-slapi-plugins/Makefile.am -> daemons/ipa-slapi-plugins/Makefile.am
renamed: ipa-server/ipa-slapi-plugins/README -> daemons/ipa-slapi-plugins/README
renamed: ipa-server/ipa-slapi-plugins/dna/Makefile.am -> daemons/ipa-slapi-plugins/dna/Makefile.am
renamed: ipa-server/ipa-slapi-plugins/dna/dna-conf.ldif -> daemons/ipa-slapi-plugins/dna/dna-conf.ldif
renamed: ipa-server/ipa-slapi-plugins/dna/dna.c -> daemons/ipa-slapi-plugins/dna/dna.c
renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am -> daemons/ipa-slapi-plugins/ipa-memberof/Makefile.am
renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof.c -> daemons/ipa-slapi-plugins/ipa-memberof/ipa-memberof.c
renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof.h -> daemons/ipa-slapi-plugins/ipa-memberof/ipa-memberof.h
renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof_config.c -> daemons/ipa-slapi-plugins/ipa-memberof/ipa-memberof_config.c
renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/memberof-conf.ldif -> daemons/ipa-slapi-plugins/ipa-memberof/memberof-conf.ldif
renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am -> daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/README -> daemons/ipa-slapi-plugins/ipa-pwd-extop/README
renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c -> daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/pwd-extop-conf.ldif -> daemons/ipa-slapi-plugins/ipa-pwd-extop/pwd-extop-conf.ldif
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/Makefile.am -> daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/README -> daemons/ipa-slapi-plugins/ipa-winsync/README
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h
renamed: ipa-server/xmlrpc-server/ipa-rewrite.conf -> install/conf/ipa-rewrite.conf
renamed: ipa-server/xmlrpc-server/ipa.conf -> install/conf/ipa.conf
renamed: ipa-server/xmlrpc-server/ssbrowser.html -> install/html/ssbrowser.html
renamed: ipa-server/xmlrpc-server/unauthorized.html -> install/html/unauthorized.html
renamed: ipa-server/ipa-install/share/60ipaconfig.ldif -> install/share/60ipaconfig.ldif
renamed: ipa-server/ipa-install/share/60kerberos.ldif -> install/share/60kerberos.ldif
renamed: ipa-server/ipa-install/share/60radius.ldif -> install/share/60radius.ldif
renamed: ipa-server/ipa-install/share/60samba.ldif -> install/share/60samba.ldif
renamed: ipa-server/ipa-install/share/Makefile.am -> install/share/Makefile.am
renamed: ipa-server/ipa-install/share/bind.named.conf.template -> install/share/bind.named.conf.template
renamed: ipa-server/ipa-install/share/bind.zone.db.template -> install/share/bind.zone.db.template
renamed: ipa-server/ipa-install/share/bootstrap-template.ldif -> install/share/bootstrap-template.ldif
renamed: ipa-server/ipa-install/share/certmap.conf.template -> install/share/certmap.conf.template
renamed: ipa-server/ipa-install/share/default-aci.ldif -> install/share/default-aci.ldif
renamed: ipa-server/ipa-install/share/default-keytypes.ldif -> install/share/default-keytypes.ldif
renamed: ipa-server/ipa-install/share/dna-posix.ldif -> install/share/dna-posix.ldif
renamed: ipa-server/ipa-install/share/encrypted_attribute.ldif -> install/share/encrypted_attribute.ldif
renamed: ipa-server/ipa-install/share/fedora-ds.init.patch -> install/share/fedora-ds.init.patch
renamed: ipa-server/ipa-install/share/indices.ldif -> install/share/indices.ldif
renamed: ipa-server/ipa-install/share/kdc.conf.template -> install/share/kdc.conf.template
renamed: ipa-server/ipa-install/share/kerberos.ldif -> install/share/kerberos.ldif
renamed: ipa-server/ipa-install/share/krb.con.template -> install/share/krb.con.template
renamed: ipa-server/ipa-install/share/krb5.conf.template -> install/share/krb5.conf.template
renamed: ipa-server/ipa-install/share/krb5.ini.template -> install/share/krb5.ini.template
renamed: ipa-server/ipa-install/share/krbrealm.con.template -> install/share/krbrealm.con.template
renamed: ipa-server/ipa-install/share/master-entry.ldif -> install/share/master-entry.ldif
renamed: ipa-server/ipa-install/share/memberof-task.ldif -> install/share/memberof-task.ldif
renamed: ipa-server/ipa-install/share/ntp.conf.server.template -> install/share/ntp.conf.server.template
renamed: ipa-server/ipa-install/share/ntpd.sysconfig.template -> install/share/ntpd.sysconfig.template
renamed: ipa-server/ipa-install/share/preferences.html.template -> install/share/preferences.html.template
renamed: ipa-server/ipa-install/share/referint-conf.ldif -> install/share/referint-conf.ldif
renamed: ipa-server/ipa-install/share/schema_compat.uldif -> install/share/schema_compat.uldif
renamed: ipa-server/ipa-install/share/unique-attributes.ldif -> install/share/unique-attributes.ldif
renamed: ipa-server/ipa-install/Makefile.am -> install/tools/Makefile.am
renamed: ipa-server/ipa-install/README -> install/tools/README
renamed: ipa-server/ipa-compat-manage -> install/tools/ipa-compat-manage
renamed: ipa-server/ipa-fix-CVE-2008-3274 -> install/tools/ipa-fix-CVE-2008-3274
renamed: ipa-server/ipa-ldap-updater -> install/tools/ipa-ldap-updater
renamed: ipa-server/ipa-install/ipa-replica-install -> install/tools/ipa-replica-install
renamed: ipa-server/ipa-install/ipa-replica-manage -> install/tools/ipa-replica-manage
renamed: ipa-server/ipa-install/ipa-replica-prepare -> install/tools/ipa-replica-prepare
renamed: ipa-server/ipa-install/ipa-server-certinstall -> install/tools/ipa-server-certinstall
renamed: ipa-server/ipa-install/ipa-server-install -> install/tools/ipa-server-install
renamed: ipa-server/ipa-upgradeconfig -> install/tools/ipa-upgradeconfig
renamed: ipa-server/ipa-install/ipactl -> install/tools/ipactl
renamed: ipa-server/man/Makefile.am -> install/tools/man/Makefile.am
renamed: ipa-server/man/ipa-compat-manage.1 -> install/tools/man/ipa-compat-manage.1
renamed: ipa-server/man/ipa-ldap-updater.1 -> install/tools/man/ipa-ldap-updater.1
renamed: ipa-server/man/ipa-replica-install.1 -> install/tools/man/ipa-replica-install.1
renamed: ipa-server/man/ipa-replica-manage.1 -> install/tools/man/ipa-replica-manage.1
renamed: ipa-server/man/ipa-replica-prepare.1 -> install/tools/man/ipa-replica-prepare.1
renamed: ipa-server/man/ipa-server-certinstall.1 -> install/tools/man/ipa-server-certinstall.1
renamed: ipa-server/man/ipa-server-install.1 -> install/tools/man/ipa-server-install.1
renamed: ipa-server/man/ipa_kpasswd.8 -> install/tools/man/ipa_kpasswd.8
renamed: ipa-server/man/ipa_webgui.8 -> install/tools/man/ipa_webgui.8
renamed: ipa-server/man/ipactl.8 -> install/tools/man/ipactl.8
renamed: ipa-server/ipa-install/updates/Makefile.am -> install/updates/Makefile.am
renamed: ipa-server/ipa-install/updates/RFC2307bis.update -> install/updates/RFC2307bis.update
renamed: ipa-server/ipa-install/updates/RFC4876.update -> install/updates/RFC4876.update
renamed: ipa-server/ipa-install/updates/indices.update -> install/updates/indices.update
renamed: ipa-server/ipa-install/updates/nss_ldap.update -> install/updates/nss_ldap.update
renamed: ipa-server/ipa-install/updates/replication.update -> install/updates/replication.update
renamed: ipa-server/ipa-install/updates/winsync_index.update -> install/updates/winsync_index.update
renamed: ipa-server/ipaserver/Makefile.am -> ipaserver/install/Makefile.am
renamed: ipa-server/ipaserver/__init__.py -> ipaserver/install/__init__.py
renamed: ipa-server/ipaserver/bindinstance.py -> ipaserver/install/bindinstance.py
renamed: ipa-server/ipaserver/certs.py -> ipaserver/install/certs.py
renamed: ipa-server/ipaserver/dsinstance.py -> ipaserver/install/dsinstance.py
renamed: ipa-server/ipaserver/httpinstance.py -> ipaserver/install/httpinstance.py
renamed: ipa-server/ipaserver/installutils.py -> ipaserver/install/installutils.py
renamed: ipa-server/ipaserver/ipaldap.py -> ipaserver/install/ipaldap.py
renamed: ipa-server/ipaserver/krbinstance.py -> ipaserver/install/krbinstance.py
renamed: ipa-server/ipaserver/ldapupdate.py -> ipaserver/install/ldapupdate.py
renamed: ipa-server/ipaserver/ntpinstance.py -> ipaserver/install/ntpinstance.py
renamed: ipa-server/ipaserver/replication.py -> ipaserver/install/replication.py
renamed: ipa-server/ipaserver/service.py -> ipaserver/install/service.py
renamed: ipa-server/selinux/Makefile -> selinux/Makefile
renamed: ipa-server/selinux/ipa-server-selinux.spec.in -> selinux/ipa-server-selinux.spec.in
renamed: ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc -> selinux/ipa_kpasswd/ipa_kpasswd.fc
renamed: ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te -> selinux/ipa_kpasswd/ipa_kpasswd.te
renamed: ipa-server/selinux/ipa_webgui/ipa_webgui.fc -> selinux/ipa_webgui/ipa_webgui.fc
renamed: ipa-server/selinux/ipa_webgui/ipa_webgui.te -> selinux/ipa_webgui/ipa_webgui.te
renamed: ipa-server/version.m4.in -> version.m4.in
2009-02-03 15:27:14 -05:00