On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth
and will potentially fail the bind altogether.
On a successful bind it will zero krbLoginFailedCount and set
krbLastSuccessfulAuth.
This will also enforce locked-out accounts.
See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
kerberos lockout.
ticket 343
Mozldap code removed from all sources and configure source script.
Now, IPA will compile even when package mozldap-devel is not
installed on the system.
https://fedorahosted.org/freeipa/ticket/756
This patch fixes 2 situations where a pointer to allocated error
string could be overwritten - which could have resulted in
a memory leak.
https://fedorahosted.org/freeipa/ticket/716
This patch fixes several potential memory leaks in ipa-pwd-extop
SLAPI plugin.
Common function ipapwd_gen_hashes() now cleans after itself when
it fails. Other changes are local and self-explanatory.
https://fedorahosted.org/freeipa/ticket/715
Omiting return value of calloc in ipa_pwd_extop.c could lead to
memory access issues when memory is full. This patch adds return
value check.
https://fedorahosted.org/freeipa/ticket/717
Remove the LDAP_DEPRECATED constant and do not use functions that are
marked as deprecated in recent OpenLDAP releases. Also always define
WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that
depend on that constant.
https://fedorahosted.org/freeipa/ticket/576
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
Constant values were assigned to variables gthat would later be freed
with slapi_ch_free_string(). Make copies instead so the free doesn't
blow. Also remove useless tests, as these functions already check for
NULL on their own.
Fixes: https://fedorahosted.org/freeipa/ticket/529
Don't use KRB5_PRIVATE.
The patch implements and uses the following krb5 functions that are
otherwise private in recent MIT Kerberos releases:
* krb5_principal2salt_norealm
* krb5_free_ktypes
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Use a little stricter compilation flags, in particular -Wall and treat
implicit function declarations as errors.
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Consolidate the common logging macros into common/util.h and use them
in SLAPI plugins instead of calling slapi_log_error() directly.
https://fedorahosted.org/freeipa/ticket/408
Signed-off-by: Simo Sorce <ssorce@redhat.com>
The DS guys decided not to expose the DS inetrnal functions used to generate
UUIDs for DS. This means the interface is not guaranteed to be available.
Switch the ipa_uuid plugin to use the system libuuid plugin instead.
NOTE: This causes once again a change in the tring format used for UUIDs.
fixes: https://fedorahosted.org/freeipa/ticket/465
This should make renamed users able to keep using old credentials as the salt
is not derived from the principal name but is always a random quantity.
https://fedorahosted.org/freeipa/ticket/412
If a modify operation does not specify our attribute then we need to short
circuit the loop, otherwise on enforcing we will return an error by mistake if
we are not Directory Manager because generate is false if the attr is not
found.
By setting the enforce flag in the configuration we prevent anyone from storing
arbitrary values and allow only Directory Manager to override the plugin.
Users can only set the value to the magic value (usually 0) to have the uuid
regenerated, and nothing else.
Remove one level of indentation from the main function by jumping
to the end immediately if the configuration list is empty.
Other minor style cleanups.
This attribute is required for samba to properly identify a user has changed
it's password and doesn't need to change it again at next login.
At the same time, if we are forcing a pssword reset we also need to let samba
know the user must change its password.
Slapi plugins must use mozldap because 389 ds is compiled against that.
ipa_kpasswd, instead, should be linked against openldap.
So always make sure both are available.
We were mistakenly removeing the latest password from the passwordHistory
once the max history values were reached. Make sure we remove the oldest one
instead.
Use __func__ in log functions instead of the explicit function name
so that if the function need to be renamed later logs reflect the
change automatically w/o the need to change all occurrences.
Also makes a grep for the function name less noisy avoiding tons of
false positives.
The plugin was getting difficult to read and maintain.
Split it (and apply cosmetic cleanups to some functions) in smaller
pieces that perform specific tasks.
This addresses some problems trying to build on non-Fedora/RHEL
distributions, notably Gentoo and Ubuntu/Debian.
Patch contributed by Ian Kumlien <pomac@vapor.com>
The migration plugin uses a pre-op function to automatically create
kerberos credentials when binding using a password.
The problem is that we do a simple bind when doing password-base
host enrollment. This was causing krbPasswordExpiration to be set
which isn't what we want for hosts. They really shouldn't go through
this code at all.
