These definitions were needed during development to be a le to build against
krb5 version < 1.10
These function headers and defintions are now available in 1.10 that is a hard
dependency for freeipa 3.0, so we can safely drop them.
User always receives the same error message if he changes his password
via "ipa passwd" command and the new password fails configured
password policy. He then has to investigate on his own the actual
reason why was the policy violated. This patch improves our SLAPI PWD
plugins to provide a better error message explaining the violation
reason.
https://fedorahosted.org/freeipa/ticket/2067
This patch requires a forthcoming change in MIT libraries which allows to pass
NULL for the server_key to the krb5_pac_verify() function.
In most cases we should always only check the KDC checksum to verify the PAC
validity.
The only exception is when we are releasing a ticket to a client from another
realm. In this case the only signature we can check is the server checksum, and
we use the cross-realm key to validate in this case.
The previous code was working for normal cases because the kdc uses the same
key to create the server and the kdc checksum for a TGT, but that is not true
for evidence tickets (s4u2proxy) or cross-realm TGTs.
Fixes: https://fedorahosted.org/freeipa/ticket/2169
We were not searching for objectclass so the test to se if a user had the
posixAccount attribute was failing and the user was not marked as ipa_user.
This in turn caused us to not synchronize legacy hashes by not trying to store
the userPassword attribute.
Fixes: https://fedorahosted.org/freeipa/ticket/1820
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.
https://fedorahosted.org/freeipa/ticket/1877
Expiration time should be enforced as per policy only for users and only when a
password change occurs, ina ll other cases we should just let kadmin decide
whther it is going to set a password expiration time or just leave it empty.
In general service tickts have strong random passwords so they do not need a
password policy or expiration at all.
https://fedorahosted.org/freeipa/ticket/1839