Commit Graph

237 Commits

Author SHA1 Message Date
Rob Crittenden
71f9008906 Support the new Winsync POSIX API.
This will sync down the POSIX attributes from AD so we need to be careful
to not mess with them when they are already set. This includes
uidNumber, gidNumber, homeDirectory, loginShell and gecos.

http://port389.org/wiki/WinSync_Posix
http://port389.org/wiki/Windows_Sync_Plugin_API#Version_3_API_functions

https://fedorahosted.org/freeipa/ticket/3007
2012-09-06 14:29:14 +02:00
Sumit Bose
bd7f3e4b17 ipasam: replace trim_char() with trim_string() 2012-09-06 09:24:59 +02:00
Sumit Bose
931e890680 ipasam: remove fetch_ldap_pw() 2012-09-06 09:24:59 +02:00
Sumit Bose
260940ceb4 ipasam: replace get_global_sam_sid() 2012-09-06 09:24:59 +02:00
Sumit Bose
621b28a4a0 ipasam: add libsss_idmap context and replace string_to_sid() 2012-09-06 09:24:59 +02:00
Sumit Bose
dbd4cb51d3 ipasam: Replace global_sid_Builtin 2012-09-06 09:24:59 +02:00
Sumit Bose
af02b9e0a9 ipasam: Replace sid_peek_check_rid() 2012-09-06 09:24:59 +02:00
Sumit Bose
fa7f5a8327 ipasam: Replace sid_check_is_our_sam() 2012-09-06 09:24:59 +02:00
Sumit Bose
8697b70d6b ipasam: Replace dom_sid_compare_domain() 2012-09-06 09:24:59 +02:00
Sumit Bose
f864d766eb ipasam: Replace is_null_sid() 2012-09-06 09:24:59 +02:00
Sumit Bose
4f7af98571 ipasam: replace sid_compose() 2012-09-06 09:24:58 +02:00
Sumit Bose
454c2d4e8c ipasam: replace sid_copy() 2012-09-06 09:24:58 +02:00
Sumit Bose
885f4a6bb8 ipasam: remove talloc_asprintf_strupper_m() 2012-09-06 09:24:58 +02:00
Sumit Bose
2877cb4c0d ipasam: remove strlower_m() 2012-09-06 09:24:58 +02:00
Sumit Bose
33494689a2 ipasam: replace strnequal() 2012-09-06 09:24:58 +02:00
Sumit Bose
128257c68b ipasam: remove sid_peek_rid() 2012-09-06 09:24:58 +02:00
Sumit Bose
50a0b84176 ipasam: remove nt_lm_owf_gen() and dependency to libcliauth.so 2012-09-06 09:24:58 +02:00
Sumit Bose
973aad9db3 Make encode_ntlm_keys() public 2012-09-06 09:24:58 +02:00
Sumit Bose
d90fb0a590 ipasam: cleanup explicit dependencies to samba libs 2012-09-06 09:24:58 +02:00
Sumit Bose
83245bc8c9 ipadb_iterate(): handle match_entry == NULL
If match_entry == NULL all principals should be iterated.

Additionally this patch adds a check in ipadb_filter_escape() to make
sure that the input is not NULL.

Fixes: https://fedorahosted.org/freeipa/ticket/3011
2012-09-05 14:20:29 +02:00
Tomas Babej
ed44de17ff Change slapi_mods_init in ipa_winsync_pre_ad_mod_user_mods_cb
https://fedorahosted.org/freeipa/ticket/2953
2012-09-04 18:06:44 +02:00
Rob Crittenden
3eadcdf123 Don't generate password history error if history is set to 0.
https://fedorahosted.org/freeipa/ticket/2805
2012-08-27 15:21:03 +02:00
Alexander Bokovoy
6171d0a01b Fix ipasam ipaNThash magic regen to actually fetch updated password
With this change ipasam is able to ask for ipaNTHash generation and if
corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash.

Part 1 of https://fedorahosted.org/freeipa/ticket/3016
2012-08-22 17:21:11 +03:00
Alexander Bokovoy
14c48ba6fb Recover from invalid cached kerberos credentials in ipasam
When developing and testing in the same environment, multiple re-installs
may be needed. This means previously issued and cached Kerberos credentials
will become invalid upon new install.

ipasam passdb module for Samba uses Kerberos authentication when talking to
IPA LDAP server. Obtained Kerberos credentials are cached during their lifetime.
However, the ccache is not removed automatically and if IPA setup is made
again, cached credentials are used, only to discover that they are invalid.

With this change invalid correctly obtained cached credentials are recognized
and, if LDAP SASL bind fails, new credentials are requested from the KDC.

https://fedorahosted.org/freeipa/ticket/3009
2012-08-22 17:20:56 +03:00
Sumit Bose
e8d4cc65f8 Use libsamba-security instead of libsecurity
In samba4-beta6 the name of a library was changed from libsecurity to
libsamba-security.
2012-08-22 17:18:07 +03:00
Sumit Bose
d815c3bc99 extdom: read ranges from LDAP 2012-08-15 23:41:06 -04:00
Simo Sorce
c58836f29d Add PAC filtering
This check the PAC we receive is consistent.
realm, flat name and domain sid must much our understanding or the trustd
realm and no additional sids beyond the own realm ones must be present.

Ticket #2849
2012-08-02 11:28:19 -04:00
Simo Sorce
754d0bea06 Split out manipulation of logon_info blob
This way multiple functions can manipulate the logon info structure until all
operations we want to do on it are done and then fold it back once.
2012-08-02 11:28:12 -04:00
Simo Sorce
1bb9eb7da3 Properly name function to add ipa external groups
The function filter_pac was not filtering the pac at all, it was merely
augmenting it with additional data relevant to the IPA server.

Change the name of the function to avoid confusion.
While there I also simplified and cleaed up the code a bit with regard to
variable names and usage.
2012-08-02 11:28:06 -04:00
Simo Sorce
4baf6ad21c Load list of trusted domain on connecting to ldap
This list is used to validate data in mspac filtering
2012-08-02 11:27:59 -04:00
Simo Sorce
560b9416f6 Move mspac structure to be a private pointer
By keeping it's definition in the mspac file it is easier to modify and make
sure any opertion on it is handled in the same file.
2012-08-02 11:27:52 -04:00
Alexander Bokovoy
051eb5f7e4 When ipaNTHash is missing, ask IPA to generate it from kerberos keys
Signed-off-by: Simo Sorce <ssorce@redhat.com>
2012-07-30 10:32:14 -04:00
Simo Sorce
38d98fd3aa Add special modify op to regen ipaNTHash
The NT Hash is the same thing as the RC4-HMAC key, so we add a function to
extract it from krb5 keys if they are available to avoid forcing a password
change when configuring trust relationships.
2012-07-30 10:31:59 -04:00
Simo Sorce
86d83654dc Improve loops around slapi mods
Avoid the need to allocate/free a Slapi_Mod and avoid checking for attribute
equvalence after a match (use if/else)
2012-07-30 10:31:55 -04:00
Simo Sorce
505bc85ec3 Move code into common krb5 utils
This moves the decoding function that reads the keys from the ber format
into a structure in the common krb5 util code right below the function
that encodes the same data structure into a ber format.
This way the 2 functions are in the same place and can be both used by
all ia components.
2012-07-30 10:31:47 -04:00
Simo Sorce
9d853483fe Do not check for DNA magic values
The DNA magic value can be arbitrarily changed by admins so we cannot use a
const value to check. And we relly do not need to check at all. If the DNA
plugin is broken and leaves magic values to reach the post-op stage we have
bigger problems. So just simply get rid of this check.
2012-07-26 14:30:39 -04:00
Alexander Bokovoy
61b2f0a5d0 Follow change in samba4 beta4 for sid_check_is_domain to sid_check_is_our_sam
With c43505b621725c9a754f0ee98318d451b093f2ed in samba git master
the function sid_check_is_domain() was renamed to sid_check_is_our_sam().

https://fedorahosted.org/freeipa/ticket/2929
2012-07-18 16:56:04 +03:00
Sumit Bose
0ffb2022fe Fix typo
Signed-off-by: Simo Sorce <ssorce@redhat.com>
2012-07-09 08:36:05 -04:00
Simo Sorce
6ffb35d0f5 Fix wrong check after allocation. 2012-07-07 16:30:22 -04:00
Alexander Bokovoy
8c5504d26a reduce redundant checks in ldapsam_search_users() to a single statement 2012-07-06 13:39:27 +03:00
Alexander Bokovoy
75cb9bb0e1 Use smb.conf 'dedicated keytab file' parameter instead of hard-coded value 2012-07-06 13:38:46 +03:00
Sumit Bose
76d809574b ipasam: replace testing code 2012-07-06 13:06:16 +03:00
Sumit Bose
abe40284cf ipasam: fixes for clang warnings 2012-07-06 13:06:16 +03:00
Sumit Bose
7fb9ca23a1 Allow silent build if available 2012-07-06 13:06:15 +03:00
Alexander Bokovoy
e88049ecee ipasam: improve SASL bind callback
SASL bind callback due to refactoring was referencing local variable which
didn't exist all the time. Fix that by including a copy of service principals
into ipasam long term private struct.

Rework ccache handling to avoid re-initing every time callback is called
2012-07-06 13:06:15 +03:00
Sumit Bose
bdb995194c Add range check preop plugin
To make sure that ID ranges do not overlap this plugin checks new
additions and changes for conflicts with existing ranges.

https://fedorahosted.org/freeipa/ticket/2185
2012-06-29 18:00:58 -04:00
Sumit Bose
876b1ec175 Use lower case names in LDAP to meet freeIPA convention 2012-06-29 11:59:39 +02:00
Sumit Bose
316aac5a8d Add external domain extop DS plugin
This extop can be used by clients of the IPA domain, e.g. sssd, to
retrieve data from trusted external domains. It can be used e.g. to map
Windows SIDs to user or groups names and back.
2012-06-28 13:08:26 +02:00
Sumit Bose
ac6afd31f7 Add configure check for C Unit-Test framework check
The framework can be found at http://check.sourceforge.net.
2012-06-28 08:13:22 +02:00
Sumit Bose
dc3491ea42 Filter groups in the PAC
If one or more of the external groups given in the PAC can be found in
the ipaExternalGroup objects and these objects are members of local
groups, the SIDs of the local groups are added to the PAC.
2012-06-28 08:05:34 +02:00