Commit Graph

197 Commits

Author SHA1 Message Date
Diane Trout
517e475f61 Fix log format not a string literal.
This was to resolve a -Werror=format-security error.

  ipa_extdom_extop.c: In function 'ipa_extdom_extop':
  ipa_extdom_extop.c:144:9: error: format not a string literal and no format
arguments [-Werror=format-security]
2013-06-03 09:57:24 +02:00
Alexander Bokovoy
b21abc76ca Fix cldap parser to work with a single equality filter (NtVer=...)
https://fedorahosted.org/freeipa/ticket/3639
2013-05-30 12:39:45 +02:00
Simo Sorce
1e224c2ea0 CLDAP: Return empty reply on non-fatal errors
Windows DCs return an empty reply when a legal request cannot satisfied.
If we get EINVAL or ENOENT it means the information requested could not be
found or input parameters were bogus.
Always return an empty reply in these cases.

On any other internal error just return, the request may have been legit but we
can't really handle it right now, pretend we never saw it and hope the next
attempt will succeed.

Fixes: https://fedorahosted.org/freeipa/ticket/3639

Signed-off-by: Simo Sorce <simo@redhat.com>
2013-05-28 16:01:52 +02:00
Simo Sorce
b402b6d553 CLDAP: Fix domain handling in netlogon requests
1. Stop using getdomainname() as it is often not properly initialized
2. The code using getdomainname() was not working anyway it was trying to
look at the function call output in hostname which is always empty at that
point.
3. Always check the requested domain matches our own, we cannot reply to
anything else anyway.

Pre-requisite to fix: https://fedorahosted.org/freeipa/ticket/3639

Signed-off-by: Simo Sorce <simo@redhat.com>
2013-05-28 16:01:52 +02:00
Nathaniel McCallum
5b58348cd3 Add OTP support to ipa-pwd-extop
During LDAP bind, this now plugin determines if a user is enabled
for OTP authentication. If so, then the OTP is validated in addition
to the password. This allows 2FA during user binds.

    https://fedorahosted.org/freeipa/ticket/3367
    http://freeipa.org/page/V3/OTP
2013-05-17 09:30:51 +02:00
Nathaniel McCallum
1e1bab4edc Remove unnecessary prefixes from ipa-pwd-extop files 2013-05-17 09:30:51 +02:00
Sumit Bose
c152c9e7ff Allow ID-to-SID mappings in the extdom plugin
https://fedorahosted.org/freeipa/ticket/3596
2013-05-02 16:57:12 -04:00
Sumit Bose
0f43cd6ea0 Do not store SID string in a local buffer
https://fedorahosted.org/freeipa/ticket/3596
2013-05-02 16:57:12 -04:00
Sumit Bose
631b3cf7cd Do not lookup up the domain too early if only the SID is known
Request with a SID as input parameter do not contain the domain name,
hence is must be tried to resolve the SID first before the corresponding
domain can be looked up.

https://fedorahosted.org/freeipa/ticket/3596
2013-05-02 16:57:12 -04:00
Sumit Bose
7b45e33400 ipa-pwd-extop: do not use dn until it is really set
https://fedorahosted.org/freeipa/ticket/3539
2013-04-02 09:39:28 -04:00
Martin Kosek
13b1028ac8 Remove build warnings
Fix rpm build warnings report in Fedora 19 build.

https://fedorahosted.org/freeipa/ticket/3500
2013-03-29 08:59:36 +01:00
Martin Kosek
b5b040e68f Configure ipa_dns DS plugin on install and upgrade
The plugin is configured unconditionally (i.e. does not check if
IPA was configured with DNS) as the plugin is needed on all
replicas to prevent objectclass violations due to missing SOA
serial in idnsZone objectclass. The violation could happen if just
one replica configured DNS and added a new zone.

https://fedorahosted.org/freeipa/ticket/3347
2013-03-22 14:31:22 +01:00
Petr Spacek
952a7ac9f5 Add 389 DS plugin for special idnsSOASerial attribute handling
Default value "1" is added to replicated idnsZone objects
if idnsSOASerial attribute is missing.

https://fedorahosted.org/freeipa/ticket/3347

Signed-off-by: Petr Spacek <pspacek@redhat.com>
2013-03-22 14:31:22 +01:00
Rob Crittenden
797baef1a4 Fix lockout of LDAP bind.
There were several problems:

- A cut-n-paste error where the wrong value was being considered when
  an account was administratively unlocked.
- An off-by-one error where LDAP got one extra bind attempt.
- krbPwdPolicyReference wasn't being retrieved as a virtual attribute so
  only the global_policy was used.
- The lockout duration wasn't examined in the context of too many failed
  logins so wasn't being applied properly.
- Lockout duration wasn't used properly so a user was effectively unlocked
  when the failure interval expired.
- krbLastFailedAuth and krbLoginFailedCount are no longer updated past
  max failures.

https://fedorahosted.org/freeipa/ticket/3433
2013-03-21 15:44:53 -04:00
Martin Kosek
dcc6f13a58 Use new 389-ds-base cleartext password API
The way how unhashed password is stored in the entry was changed in
389-ds-base-1.3.0, it is now stored in an entry extension rather than
in a magic attribute unhashed#user#password. New API using an entry
extension was introduced. ipa-pwd-extop should take advantage of the
new API as the old one will be removed in 389-ds-base-1.3.1.

https://fedorahosted.org/freeipa/ticket/3439
2013-03-13 14:06:38 -04:00
Petr Viktorin
91606e6679 Change DNA magic value to -1 to make UID 999 usable
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.

For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.

Tests included

https://fedorahosted.org/freeipa/ticket/2886
2013-03-11 17:07:07 +01:00
Tomas Babej
8d432353cc Perform secondary rid range overlap check for local ranges only
Any of the following checks:
  - overlap between primary RID range and secondary RID range
  - overlap between secondary RID range and secondary RID range

is performed now only if both of the ranges involved are local
domain ranges.

https://fedorahosted.org/freeipa/ticket/3391
2013-03-11 13:55:43 +01:00
Sumit Bose
d10c043e92 ipa-pwd: Unchecked return value ipapwd_chpwop()
Fixes https://fedorahosted.org/freeipa/ticket/3427
2013-02-28 12:33:28 +01:00
Sumit Bose
99ff913b89 ipa-extdom: Double-free in ipa_extdom_common.c
Fixes https://fedorahosted.org/freeipa/ticket/3426
2013-02-28 12:32:43 +01:00
Sumit Bose
11b20bdc82 ipa-lockout: Wrong sizeof argument in ipa_lockout.c
Fixes https://fedorahosted.org/freeipa/ticket/3425
2013-02-28 12:31:54 +01:00
Rob Crittenden
bf77679909 Password change in a transaction, ensure passwords are truly expired
Wrap the password change extop in a transaction.

Fix the case where a password is reset and then immediately used. If done
fast enough then the KDC may not detect that the password is expired and
grant access using the expired password rather than prompting for a reset.

https://fedorahosted.org/freeipa/ticket/1064
2012-12-07 10:30:33 +01:00
Rob Crittenden
146da1b326 Honor the kdb options disabling KDC writes in ipa_lockout plugin
Ther3 are two global ipaConfig options to disable undesirable writes that
have performance impact.

The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)

The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734
2012-12-05 10:40:50 -05:00
Rob Crittenden
f1f1b4e7f2 Enable transactions by default, make password and modrdn TXN-aware
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.

Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).

Fix some unit tests that are failing because we actually get the data
now due to transactions.

Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.

Deprecate wait_for_attr code.

Add a memberof fixup task for roles.

https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
2012-11-21 14:55:12 +01:00
Tomas Babej
27a8f93178 Forbid overlapping primary and secondary rid ranges
Commands ipa idrange-add / idrange-mod no longer allows the user
to enter primary or secondary rid range such that has non-zero
intersection with primary or secondary rid range of another
existing id range, as this could cause collision.

Unit tests added to test_range_plugin.py

https://fedorahosted.org/freeipa/ticket/3086
2012-10-19 09:02:50 +02:00
Sumit Bose
89e315d639 extdom: handle INP_POSIX_UID and INP_POSIX_GID requests
Fixes https://fedorahosted.org/freeipa/ticket/3166
2012-10-18 10:57:54 +02:00
Sumit Bose
c1b922352f Fix various issues found by Coverity 2012-10-17 14:32:37 +02:00
Sumit Bose
58a99dd5ac Add SIDs for existing users and groups at the end of ipa-adtrust-install
Fixes https://fedorahosted.org/freeipa/ticket/3104
2012-10-04 22:15:36 -04:00
Rob Crittenden
71f9008906 Support the new Winsync POSIX API.
This will sync down the POSIX attributes from AD so we need to be careful
to not mess with them when they are already set. This includes
uidNumber, gidNumber, homeDirectory, loginShell and gecos.

http://port389.org/wiki/WinSync_Posix
http://port389.org/wiki/Windows_Sync_Plugin_API#Version_3_API_functions

https://fedorahosted.org/freeipa/ticket/3007
2012-09-06 14:29:14 +02:00
Sumit Bose
973aad9db3 Make encode_ntlm_keys() public 2012-09-06 09:24:58 +02:00
Tomas Babej
ed44de17ff Change slapi_mods_init in ipa_winsync_pre_ad_mod_user_mods_cb
https://fedorahosted.org/freeipa/ticket/2953
2012-09-04 18:06:44 +02:00
Rob Crittenden
3eadcdf123 Don't generate password history error if history is set to 0.
https://fedorahosted.org/freeipa/ticket/2805
2012-08-27 15:21:03 +02:00
Sumit Bose
d815c3bc99 extdom: read ranges from LDAP 2012-08-15 23:41:06 -04:00
Simo Sorce
38d98fd3aa Add special modify op to regen ipaNTHash
The NT Hash is the same thing as the RC4-HMAC key, so we add a function to
extract it from krb5 keys if they are available to avoid forcing a password
change when configuring trust relationships.
2012-07-30 10:31:59 -04:00
Simo Sorce
86d83654dc Improve loops around slapi mods
Avoid the need to allocate/free a Slapi_Mod and avoid checking for attribute
equvalence after a match (use if/else)
2012-07-30 10:31:55 -04:00
Simo Sorce
9d853483fe Do not check for DNA magic values
The DNA magic value can be arbitrarily changed by admins so we cannot use a
const value to check. And we relly do not need to check at all. If the DNA
plugin is broken and leaves magic values to reach the post-op stage we have
bigger problems. So just simply get rid of this check.
2012-07-26 14:30:39 -04:00
Simo Sorce
6ffb35d0f5 Fix wrong check after allocation. 2012-07-07 16:30:22 -04:00
Sumit Bose
bdb995194c Add range check preop plugin
To make sure that ID ranges do not overlap this plugin checks new
additions and changes for conflicts with existing ranges.

https://fedorahosted.org/freeipa/ticket/2185
2012-06-29 18:00:58 -04:00
Sumit Bose
876b1ec175 Use lower case names in LDAP to meet freeIPA convention 2012-06-29 11:59:39 +02:00
Sumit Bose
316aac5a8d Add external domain extop DS plugin
This extop can be used by clients of the IPA domain, e.g. sssd, to
retrieve data from trusted external domains. It can be used e.g. to map
Windows SIDs to user or groups names and back.
2012-06-28 13:08:26 +02:00
Sumit Bose
65ad261663 Add sidgen postop and task
A postop plugin is added to create the SID for new created users and
groups. A directory server task allows to set the SID for existing
users and groups.

Fixes https://fedorahosted.org/freeipa/ticket/2825
2012-06-28 08:02:05 +02:00
Rob Crittenden
74293426d9 Normalize uid to lower case in winsync.
This in effect fixes uid, krbPrincipalName and homeDir.

https://fedorahosted.org/freeipa/ticket/2756
2012-05-25 09:49:06 +02:00
Simo Sorce
46c6ff69ac Fix migration code password setting.
When we set a password we also need to make sure krbExtraData is set.
If not kadmin will later complain that the object is corrupted at password
change time.

Ticket: https://fedorahosted.org/freeipa/ticket/2764
2012-05-17 17:17:42 +02:00
Rob Crittenden
58732a83bc Return LDAP_SUCCESS on mods on a referral entry.
We currently return LDAP_REFERRAL which causes the mod to fail meaning
that referral entries cannot be changed.

All we really want to do is escape when we don't hvae an entry to modify.

https://fedorahosted.org/freeipa/ticket/2237
2012-05-11 08:37:41 +02:00
Martin Kosek
51601ac794 Treat UPGs correctly in winsync replication
IPA winsync plugin failed to replicate users when default user group
was non-posix even though User Private Groups (UPG) were enabled
on the server. Both their uidNumber and gidNumber were empty and
they missed essential object classes. When the default user group
was made posix and UPG was disabled it did not set gidNumber to
the default group gidNumber.

This patch improves this behavior to set gidNumber correctly
according to UPG configuration and the default group status
(posix/non-posix). 4 situations can occur, the following list
specifies what value is assigned to user gidNumber:
 1) Default group posix, UPG enabled: gidNumber = UPG gidNumber
 2) Default group posix, UPG disabled: gidNumber = default
    group gidNumber
 3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
 4) Default group non-posix, UPG disabled: an error is printed to
    the dirsrv log as the gidNumber cannot be retrieved. User
    is replicated in the same way as before this patch, i.e.
    without essential object classes.

https://fedorahosted.org/freeipa/ticket/2436
2012-03-15 09:57:37 +01:00
Martin Kosek
f2cc9c8d33 Improve password change error message
User always receives the same error message if he changes his password
via "ipa passwd" command and the new password fails configured
password policy. He then has to investigate on his own the actual
reason why was the policy violated. This patch improves our SLAPI PWD
plugins to provide a better error message explaining the violation
reason.

https://fedorahosted.org/freeipa/ticket/2067
2012-02-03 17:21:33 +01:00
Simo Sorce
de0444defe ipa-cldap: Support clients asking for default domain 2012-01-05 09:38:04 -05:00
Sumit Bose
27f02881c1 Make pwd-extop aware of new ipaNTHash attribute 2011-12-06 08:29:53 -05:00
Simo Sorce
17cc52a154 ipa-cldap: send cldap reply 2011-11-21 18:52:59 -05:00
Simo Sorce
64ce67523f ipa-cldap: Create netlogon blob 2011-11-21 18:52:59 -05:00
Simo Sorce
046c416e90 ipa-cldap: Decode CLDAP request. 2011-11-21 18:52:59 -05:00
Simo Sorce
d709dcf8f5 ipa-cldap: Implement worker thread. 2011-11-21 18:52:59 -05:00
Simo Sorce
710f435c20 Create skeleton CLDAP server as a DS plugin 2011-11-21 18:52:48 -05:00
Simo Sorce
8276d5d55f Fix CID 10745: Unchecked return value
https://fedorahosted.org/freeipa/ticket/2036
2011-11-07 11:13:55 -05:00
Simo Sorce
7cca50e9b5 Fix CID 10743: Unchecked return value
https://fedorahosted.org/freeipa/ticket/2036
2011-11-07 11:13:55 -05:00
Simo Sorce
e615bea1be Fix CID 10742: Unchecked return value
https://fedorahosted.org/freeipa/ticket/2036
2011-11-07 11:13:55 -05:00
Sumit Bose
3fb40170cb ipa-pwd-extop: allow password change on all connections with SSF>1
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.

https://fedorahosted.org/freeipa/ticket/1877
2011-10-05 17:20:13 +02:00
Simo Sorce
c981627016 ipa-pwd-extop: Enforce old password checks
If a user is changing his own password, then require the old password to be
sent for validation purposes.

https://fedorahosted.org/freeipa/ticket/1814
2011-09-21 18:10:34 -04:00
Marko Myllynen
45aa801952 include <stdint.h> for uintptr_t 2011-09-22 09:42:11 -04:00
Simo Sorce
37836a2e6c ipa-pwd-extop: Fix segfault in password change.
Do not pass an empty buffer to ber_init() as it will assert.
Check before hand and return an error.
2011-09-21 16:05:02 -04:00
Rob Crittenden
5371c03c93 The precendence on the modrdn plugin was set in the wrong location.
https://fedorahosted.org/freeipa/ticket/1370
2011-09-13 17:36:59 +02:00
Yuri Chornoivan
1785d0a7c1 Fix typos
Fix "The the" and "classses" in FreeIPA code and messages.

https://fedorahosted.org/freeipa/ticket/1480
2011-09-07 13:20:42 +02:00
Simo Sorce
35e15f6c91 ipa-pwd-extop: Allow kadmin to set krb keys
Prevent the ipa-pwd-extop plugin from re-generating keys when kadimn is storing
a new set of keys. Only generate the userPassword and sambaXXPassword hashes.
Also avoid checking policies in this case and if history is provided avoid
regenerating the passwordHistory too.
2011-08-26 08:24:50 -04:00
Simo Sorce
7ea0b5d56e ipa-pwd-extop: Use common password policy code 2011-08-26 08:24:50 -04:00
Simo Sorce
7d41e7b4d4 ipa-pwd-extop: make encsalt parsing function common
It is going to be used by the ipa-kdb module too.
2011-08-26 08:24:49 -04:00
Simo Sorce
eed401306c ipa-pwd-extop: Move encoding in common too
Also to be used by ipa-kdb
2011-08-26 08:24:49 -04:00
Simo Sorce
4928229093 ipa-pwd-extop: Move encryption of keys in common
This way we can reuse the same code from ipa-kdb later
2011-08-26 08:24:49 -04:00
Simo Sorce
b4aab3d98d ipa-pwd-extop: Use common krb5 structs from kdb.h
This removes custom structures and allows easier sharing of code with ipa-kdb
2011-08-26 08:24:49 -04:00
Simo Sorce
672035cbba ipa-pwd-extop: re-indent code using old style 2011-08-26 08:24:49 -04:00
Simo Sorce
229b9a209c ipa-pwd-extop: Use the proper mkvno number in keys
Setting 0 will work as MIT KDCs assume the current master key when that is
found. But it is a legacy compatibility mode and we should instead set the
proper mkvno number on keys so changeing master key becomes possible w/o
having to do a dump reload and stopping the service. This is especially
important in replicated environments.
2011-08-26 08:24:49 -04:00
Simo Sorce
5746bbe92a ipa-pwd-extop: do not append mkvno to krbExtraData
mkvno is actually available as part of the key material.
There is no need to store it in the krbExtraData field as it is unused there.
2011-08-26 08:24:49 -04:00
Simo Sorce
d1cc660db2 ipa-pwd-extop: Remove unused variables and code to set them 2011-08-26 08:24:49 -04:00
Simo Sorce
c42cf02405 ipa-pwd_extop: use endian.h instead of nih function 2011-08-26 08:24:48 -04:00
Simo Sorce
e261c55626 Fix build warnings
Some are actual bugs.
2011-08-26 08:24:48 -04:00
Rob Crittenden
0147ef5b73 Fix thread deadlock by using pthreads library instead of NSPR.
The 389-ds team is in the process of exposing slapi_rwlock which we
will switch to when it is available.

https://fedorahosted.org/freeipa/ticket/1630
2011-08-24 13:57:37 +02:00
Simo Sorce
6f6679e348 Don't set the password expiration to the current time
This fixes a regression in the previous patch in ticket #1526.
2011-07-31 21:00:45 -04:00
Rob Crittenden
1ebe3c1d12 When setting a host password don't set krbPasswordExpiration.
This can cause problems if a host is enrolled, unenrolled and a password
set. The password will be marked as expired like all new passwords are.

https://fedorahosted.org/freeipa/ticket/1526
2011-07-29 10:27:15 +02:00
Rob Crittenden
a00b03831b Don't set krbLastPwdChange when setting a host OTP password.
We have no visibility into whether an entry has a keytab or not so
krbLastPwdChange is used as a rough guide.

If this value exists during enrollment then it fails because the host
is considered already joined. This was getting set when a OTP was
added to a host that had already been enrolled (e.g. you enroll a host,
unenroll it, set a OTP, then try to re-enroll). The second enrollment
was failing because the enrollment plugin thought it was still
enrolled becaused krbLastPwdChange was set.

https://fedorahosted.org/freeipa/ticket/1357
2011-07-18 19:34:19 -04:00
Rob Crittenden
f534445e26 Reset failed login count to 0 when admin resets password.
https://fedorahosted.org/freeipa/ticket/1441
2011-07-13 10:46:22 +02:00
Rich Megginson
cae6f1511e memory leak in ipa_winsync_get_new_ds_user_dn_cb
The new_dn_string passed into this function is malloc'd.  It
must be freed before we reassign the value.
2011-06-28 00:11:04 -04:00
Rich Megginson
89c67c3ad9 modify user deleted in AD crashes winsync
https://fedorahosted.org/freeipa/ticket/1382
crash in winsync if replaying a MOD and user does not exist in AD
If the AD entry is deleted before the deletion can be synced back to IPA,
and in the meantime an operation is performed on the corresponding
entry in IPA that should be synced to AD, winsync attempts to get the
AD entry and it is empty.  This just means the operation will not go
through, and the entry will be deleted when the sync from AD happens.
The IPA winsync plugin needs to handle the case when the ad_entry
is NULL.
2011-06-28 00:11:04 -04:00
Rich Megginson
d43e87e10c winsync enables disabled users in AD
https://fedorahosted.org/freeipa/ticket/1379
winsync enables disabled users in AD when the AD entry changes
This was likely broken when ipa switched from using CoS/groups for account
inactivation to using nsAccountLock directly.  The code that handled the
account sync in the from AD direction was broken, but was never found before
now because it had not been used.  The fix is to correctly set or remove
nsAccountLock.
2011-06-28 00:11:04 -04:00
Jan Cholasta
16d1db4996 Fix issues found by Coverity.
tickets 1166, 1167, 1168, 1169
2011-05-09 16:23:40 -04:00
Simo Sorce
bb9617f838 Fix resource leaks.
Fixes: https://fedorahosted.org/freeipa/ticket/1119
2011-03-28 14:50:59 -04:00
Simo Sorce
8308efeb14 Fix uninitialized variable.
https://fedorahosted.org/freeipa/ticket/1118
2011-03-24 15:20:03 -04:00
Simo Sorce
09dd05b49a Make activated/inactivated groups optional
directly change nsAccountLock on the entry if they are not used

Fixes: https://fedorahosted.org/freeipa/ticket/1021
2011-03-01 11:02:55 -05:00
Simo Sorce
83549087b5 Fix user synchronization.
We need to set uidNumber and gidNumber to the magic values so that DNA can
assign appropriate Ids, otherwise the synchronization of users from AD will
fail with an error about posixAccount requiring a missing (uidNumber)
attribute.

Fixes: https://fedorahosted.org/freeipa/ticket/1020
2011-03-01 11:02:55 -05:00
Simo Sorce
1d01ea53f1 Unbreak the ipa winsync plugin.
Fix RDN construction.

Fixes: https://fedorahosted.org/freeipa/ticket/1015
2011-03-01 11:02:55 -05:00
Simo Sorce
b3e9cac972 Set the loginShell attribute on winsynced entries if configured
Fixes: https://fedorahosted.org/freeipa/ticket/266
2011-03-01 11:02:55 -05:00
Nathan Kinder
27532f5468 Reset target DN when generated UUID is used as RDN
When the UUID plug-in generates a value that is used in the RDN
of the entry being added, the old DN is free'd and replaced with
the new DN.  The problem is that the operation in the pblock holds
a pointer to the old DN address.  This can cause other plug-ins to
reference garbage, leading to incorrect results or crashes.  This
was causing the attribute uniqueness plug-in to not work correctly,
resulting in duplicate netgroup entries.

The fix is to have the UUID plug-in reset the target DN after
changing the DN of the entry to be added.

ticket 963
2011-02-17 21:36:50 -05:00
Simo Sorce
50318b60ee Fix duplicate OIDs
Apparently we forgot to check OID consistency between the schema and the
extensions, and we got duplicates.

Technically the schema was done later but it is easier to change the extensions
OIDs than to change the schema of current beta2/rc1 installations.

The only side effect is that older ipa-getkeytab and ipa-join binaries will
fail. So all the admin/client tools must be upgraded at the same time as well
as all the masters (otherwise some will show/accept the new OID while others
won't).

Fixes: https://fedorahosted.org/freeipa/ticket/976
2011-02-17 08:38:53 -05:00
Rob Crittenden
c9431749a0 Let 389-ds start up even if Kerboros is not configured yet.
The situation is if during installation /etc/krb5.conf either doesn't
exist or configures no realms then 389-ds won't start up at all, causing
the installation to fail. This will let the server start up in a degraded
mode.

Also need to make the sub_dict in ldapupdate.py handle no realm otherwise
the installation will abort enabling the compat plugin.

ticket 606
2011-02-14 14:07:17 -05:00
Simo Sorce
b46faf9dfc Correctly report if this is a krb related password operation
Fixes: https://fedorahosted.org/freeipa/ticket/949
2011-02-14 13:57:00 -05:00
Simo Sorce
5341a22ba2 Update krbExtraData too when changing passwords.
Fixes: https://fedorahosted.org/freeipa/ticket/937
2011-02-14 13:36:27 -05:00
Rob Crittenden
b77046d550 Disable replication version plugin by default.
The 389-ds replication plugin may not be installed on all platforms
and our replication version plugin will cause 389-ds to not start
if it is loaded and the replication plugin is not. So disable by
default.

When a replica is prepared we check for the replication plugin.
If it exists we will enable the replication version plugin.

Likewise on installation of a replica we check for existence of
the repliation plugin and if it is there then we enable the version
plugin before replication begins.

ticket 918
2011-02-10 13:54:39 -05:00
Rob Crittenden
cf9ec1c427 Update kerberos password policy values on LDAP binds.
On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth
and will potentially fail the bind altogether.

On a successful bind it will zero krbLoginFailedCount and set
krbLastSuccessfulAuth.

This will also enforce locked-out accounts.

See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
kerberos lockout.

ticket 343
2011-01-21 13:59:24 -05:00
Simo Sorce
a44607ecba Fix ipa_uuid to not interfer with proper error reporting
Fixes: https://fedorahosted.org/freeipa/ticket/813
2011-01-19 15:57:57 -05:00
Martin Kosek
bd965c92d8 Mozldap-specific code removed
Mozldap code removed from all sources and configure source script.
Now, IPA will compile even when package mozldap-devel is not
installed on the system.

https://fedorahosted.org/freeipa/ticket/756
2011-01-14 17:33:11 -05:00
Martin Kosek
c94d20cfd8 Unchecked return values in SLAPI plugins
Return values weren't checked in several cases which could
have lead to unhandled errors.

https://fedorahosted.org/freeipa/ticket/722
2011-01-14 14:20:57 -05:00
Martin Kosek
8173b8e375 Potential memory leaks in ipa-pwd-extop
This patch fixes several potential memory leaks in ipa-pwd-extop
SLAPI plugin.

Common function ipapwd_gen_hashes() now cleans after itself when
it fails. Other changes are local and self-explanatory.

https://fedorahosted.org/freeipa/ticket/715
2011-01-14 14:20:57 -05:00
Martin Kosek
bea3999daf Potential NULL dereference in ipapwd_prepost
This patch increases robustness in PRE MOD password SLAPI module
by ensuring that an uninitialized pointer is not dereferenced.

https://fedorahosted.org/freeipa/ticket/719
2011-01-12 11:44:59 -05:00