If we do not store the keys in the entry we need to free the array before
continuing or the data is leaked.
CoverityID: 11910
Fixes:
https://fedorahosted.org/freeipa/ticket/3884
If OTP is enabled for a user, then:
1. Long-term keys are not provided to KDB
2. The user string 'otp' is defined to KDB
Since it is not secure to send radius configuration information
over krb5 user strings, we simply set the string to a known default
('[]') which enables the default configuration in the KDC.
https://fedorahosted.org/freeipa/ticket/3561http://freeipa.org/page/V3/OTP
The ipaKrbAuthzData LDAP attribute is read together with the other data
of the requestedprincipal and the read value(s) are stored in the e-data
of the entry for later use.
https://fedorahosted.org/freeipa/ticket/2960
Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.
This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).
The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver.
https://fedorahosted.org/freeipa/ticket/3312https://fedorahosted.org/freeipa/ticket/3114
If match_entry == NULL all principals should be iterated.
Additionally this patch adds a check in ipadb_filter_escape() to make
sure that the input is not NULL.
Fixes: https://fedorahosted.org/freeipa/ticket/3011
This moves the decoding function that reads the keys from the ber format
into a structure in the common krb5 util code right below the function
that encodes the same data structure into a ber format.
This way the 2 functions are in the same place and can be both used by
all ia components.
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.
The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.
https://fedorahosted.org/freeipa/ticket/1577
This was introduced when we started checking the return from
ipadb_get_context() to silence another coverity report.
That condition can never be true in this function but whatever ... let's
silence Coverity once again :)
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.
One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0
Fixes: https://fedorahosted.org/freeipa/ticket/2488
We were not searching for objectclass so the test to se if a user had the
posixAccount attribute was failing and the user was not marked as ipa_user.
This in turn caused us to not synchronize legacy hashes by not trying to store
the userPassword attribute.
Fixes: https://fedorahosted.org/freeipa/ticket/1820
Expiration time should be enforced as per policy only for users and only when a
password change occurs, ina ll other cases we should just let kadmin decide
whther it is going to set a password expiration time or just leave it empty.
In general service tickts have strong random passwords so they do not need a
password policy or expiration at all.
https://fedorahosted.org/freeipa/ticket/1839
