IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
12,378 Commits 11 Branches 60 Tags
de8f969f2d40722b590f43ab9bb31eada58ec4b3
Commit Graph

12 Commits

Author SHA1 Message Date
Alexander Bokovoy
de8f969f2d Move fips_enabled to a common library to share across different plugins 
Related: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
 2018-08-13 14:42:16 +02:00
Sumit Bose
1f0ca6aafd ipa_pwd_extop: do not generate NT hashes in FIPS mode 
In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is
detected we disable NT hashes even is the are allowed by IPA
configuration.

Resolves https://pagure.io/freeipa/issue/7026

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
 2017-06-21 10:16:41 +02:00
Thierry Bordaz
c223130d5f IPA Allows Password Reuse with History value defined when admin resets the password. 
When admin reset a user password, history of user passwords is
preserved according to its policy.

https://fedorahosted.org/freeipa/ticket/6402

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2016-11-24 17:01:02 +01:00
Simo Sorce
ab4fcb0fe2 Simplify date manipulation in pwd plugin 
Use a helper function to perform operations on dates in LDAP attributes.

Related to #2795

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: David Kupka <dkupka@redhat.com>
 2016-07-25 05:08:55 -04:00
David Kupka
d2cb9ed327 Allow unexpiring passwords 
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.

https://fedorahosted.org/freeipa/ticket/2795

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
 2016-07-01 11:22:02 +02:00
Simo Sorce
58ab032f1a Use only AES enctypes by default 
Remove des3 and arcfour from the defaults for new installs.

NOTE: the ipasam/dcerpc code sill uses arcfour

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/4740
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2016-01-13 15:24:53 +01:00
Nathaniel McCallum
9f62d0c157 Teach ipa-pwd-extop to respect global ipaUserAuthType settings 
https://fedorahosted.org/freeipa/ticket/4105

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-02-21 10:26:02 +01:00
Simo Sorce
d0ed25c8cb Harmonize policy discovery to kdb driver 
The KDB driver does not walk the tree back like the original password plugin.
Also we do not store the default policy in the base DN as we used to do in the
past anymore.
So doing a full subtree search and walking back the tree is just a waste of
time.
Instead hardcode the default policy like we do in the kdb driver.

Fixes: https://fedorahosted.org/freeipa/ticket/4085
 2014-01-16 09:00:35 +01:00
Sumit Bose
d876a22732 Remove generation and handling of LM hashes 
https://fedorahosted.org/freeipa/ticket/3795
 2013-11-01 09:28:35 +01:00
Martin Kosek
5d8c02cfb8 Administrative password change does not respect password policy 
When Directory Manager or a PassSync agent is changing a password,
it is not being expired, but standard expiration time should apply.
However, default expiration time was always applied (90 days)
even though administrator may have a custom policy for the user.

https://fedorahosted.org/freeipa/ticket/3968
 2013-10-17 14:04:03 +02:00
Nathaniel McCallum
5b58348cd3 Add OTP support to ipa-pwd-extop 
During LDAP bind, this now plugin determines if a user is enabled
for OTP authentication. If so, then the OTP is validated in addition
to the password. This allows 2FA during user binds.

    https://fedorahosted.org/freeipa/ticket/3367
    http://freeipa.org/page/V3/OTP
 2013-05-17 09:30:51 +02:00
Nathaniel McCallum
1e1bab4edc Remove unnecessary prefixes from ipa-pwd-extop files 2013-05-17 09:30:51 +02:00