Commit Graph

158 Commits

Author SHA1 Message Date
Simo Sorce
0a4f7960b9 ipa-kdb: Get/Store Master Key directly from LDAP 2011-08-26 08:24:49 -04:00
Simo Sorce
e9e426354f ipa-kdb: add functions to change principals 2011-08-26 08:24:49 -04:00
Simo Sorce
d25370a579 ipa-kdb: add function to iterate over principals 2011-08-26 08:24:49 -04:00
Simo Sorce
2f8caeab48 ipa-kdb: add functions to delete principals 2011-08-26 08:24:49 -04:00
Simo Sorce
8d5c67a9f8 ipa-kdb: add function to free principals 2011-08-26 08:24:49 -04:00
Simo Sorce
abd424889b ipa-kdb: functions to get principal 2011-08-26 08:24:49 -04:00
Simo Sorce
46c803a08d ipa-kdb: add common utility ldap wrapper functions 2011-08-26 08:24:49 -04:00
Simo Sorce
b5ba0f7f48 ipa-kdb: implement get_time function 2011-08-26 08:24:49 -04:00
Simo Sorce
6e010fedaa ipa-kdb: initialize module functions
Initialize module also on ipadb_create invocation. This is what
kdb5_util expects.
2011-08-26 08:24:49 -04:00
Simo Sorce
579a159915 ipa-kdb: add exports file
limit exported symbols only to the ones actually needed by krb5kdc
2011-08-26 08:24:49 -04:00
Simo Sorce
bac6f2dd13 ipa-kdb: Initial plugin skeleton 2011-08-26 08:24:49 -04:00
Simo Sorce
7d41e7b4d4 ipa-pwd-extop: make encsalt parsing function common
It is going to be used by the ipa-kdb module too.
2011-08-26 08:24:49 -04:00
Simo Sorce
eed401306c ipa-pwd-extop: Move encoding in common too
Also to be used by ipa-kdb
2011-08-26 08:24:49 -04:00
Simo Sorce
4928229093 ipa-pwd-extop: Move encryption of keys in common
This way we can reuse the same code from ipa-kdb later
2011-08-26 08:24:49 -04:00
Simo Sorce
b4aab3d98d ipa-pwd-extop: Use common krb5 structs from kdb.h
This removes custom structures and allows easier sharing of code with ipa-kdb
2011-08-26 08:24:49 -04:00
Simo Sorce
672035cbba ipa-pwd-extop: re-indent code using old style 2011-08-26 08:24:49 -04:00
Simo Sorce
229b9a209c ipa-pwd-extop: Use the proper mkvno number in keys
Setting 0 will work as MIT KDCs assume the current master key when that is
found. But it is a legacy compatibility mode and we should instead set the
proper mkvno number on keys so changeing master key becomes possible w/o
having to do a dump reload and stopping the service. This is especially
important in replicated environments.
2011-08-26 08:24:49 -04:00
Simo Sorce
5746bbe92a ipa-pwd-extop: do not append mkvno to krbExtraData
mkvno is actually available as part of the key material.
There is no need to store it in the krbExtraData field as it is unused there.
2011-08-26 08:24:49 -04:00
Simo Sorce
d1cc660db2 ipa-pwd-extop: Remove unused variables and code to set them 2011-08-26 08:24:49 -04:00
Simo Sorce
c42cf02405 ipa-pwd_extop: use endian.h instead of nih function 2011-08-26 08:24:48 -04:00
Simo Sorce
e261c55626 Fix build warnings
Some are actual bugs.
2011-08-26 08:24:48 -04:00
Rob Crittenden
0147ef5b73 Fix thread deadlock by using pthreads library instead of NSPR.
The 389-ds team is in the process of exposing slapi_rwlock which we
will switch to when it is available.

https://fedorahosted.org/freeipa/ticket/1630
2011-08-24 13:57:37 +02:00
Jan Cholasta
a797f907ee Search for users in all the naming contexts present on the directory server.
ticket 1655, 1656
2011-08-22 19:04:29 -04:00
Simo Sorce
6f6679e348 Don't set the password expiration to the current time
This fixes a regression in the previous patch in ticket #1526.
2011-07-31 21:00:45 -04:00
Rob Crittenden
1ebe3c1d12 When setting a host password don't set krbPasswordExpiration.
This can cause problems if a host is enrolled, unenrolled and a password
set. The password will be marked as expired like all new passwords are.

https://fedorahosted.org/freeipa/ticket/1526
2011-07-29 10:27:15 +02:00
Rob Crittenden
a00b03831b Don't set krbLastPwdChange when setting a host OTP password.
We have no visibility into whether an entry has a keytab or not so
krbLastPwdChange is used as a rough guide.

If this value exists during enrollment then it fails because the host
is considered already joined. This was getting set when a OTP was
added to a host that had already been enrolled (e.g. you enroll a host,
unenroll it, set a OTP, then try to re-enroll). The second enrollment
was failing because the enrollment plugin thought it was still
enrolled becaused krbLastPwdChange was set.

https://fedorahosted.org/freeipa/ticket/1357
2011-07-18 19:34:19 -04:00
Rob Crittenden
f534445e26 Reset failed login count to 0 when admin resets password.
https://fedorahosted.org/freeipa/ticket/1441
2011-07-13 10:46:22 +02:00
Rich Megginson
cae6f1511e memory leak in ipa_winsync_get_new_ds_user_dn_cb
The new_dn_string passed into this function is malloc'd.  It
must be freed before we reassign the value.
2011-06-28 00:11:04 -04:00
Rich Megginson
89c67c3ad9 modify user deleted in AD crashes winsync
https://fedorahosted.org/freeipa/ticket/1382
crash in winsync if replaying a MOD and user does not exist in AD
If the AD entry is deleted before the deletion can be synced back to IPA,
and in the meantime an operation is performed on the corresponding
entry in IPA that should be synced to AD, winsync attempts to get the
AD entry and it is empty.  This just means the operation will not go
through, and the entry will be deleted when the sync from AD happens.
The IPA winsync plugin needs to handle the case when the ad_entry
is NULL.
2011-06-28 00:11:04 -04:00
Rich Megginson
d43e87e10c winsync enables disabled users in AD
https://fedorahosted.org/freeipa/ticket/1379
winsync enables disabled users in AD when the AD entry changes
This was likely broken when ipa switched from using CoS/groups for account
inactivation to using nsAccountLock directly.  The code that handled the
account sync in the from AD direction was broken, but was never found before
now because it had not been used.  The fix is to correctly set or remove
nsAccountLock.
2011-06-28 00:11:04 -04:00
Jan Cholasta
16d1db4996 Fix issues found by Coverity.
tickets 1166, 1167, 1168, 1169
2011-05-09 16:23:40 -04:00
Simo Sorce
bb9617f838 Fix resource leaks.
Fixes: https://fedorahosted.org/freeipa/ticket/1119
2011-03-28 14:50:59 -04:00
Simo Sorce
8308efeb14 Fix uninitialized variable.
https://fedorahosted.org/freeipa/ticket/1118
2011-03-24 15:20:03 -04:00
Simo Sorce
09dd05b49a Make activated/inactivated groups optional
directly change nsAccountLock on the entry if they are not used

Fixes: https://fedorahosted.org/freeipa/ticket/1021
2011-03-01 11:02:55 -05:00
Simo Sorce
83549087b5 Fix user synchronization.
We need to set uidNumber and gidNumber to the magic values so that DNA can
assign appropriate Ids, otherwise the synchronization of users from AD will
fail with an error about posixAccount requiring a missing (uidNumber)
attribute.

Fixes: https://fedorahosted.org/freeipa/ticket/1020
2011-03-01 11:02:55 -05:00
Simo Sorce
1d01ea53f1 Unbreak the ipa winsync plugin.
Fix RDN construction.

Fixes: https://fedorahosted.org/freeipa/ticket/1015
2011-03-01 11:02:55 -05:00
Simo Sorce
b3e9cac972 Set the loginShell attribute on winsynced entries if configured
Fixes: https://fedorahosted.org/freeipa/ticket/266
2011-03-01 11:02:55 -05:00
Nathan Kinder
27532f5468 Reset target DN when generated UUID is used as RDN
When the UUID plug-in generates a value that is used in the RDN
of the entry being added, the old DN is free'd and replaced with
the new DN.  The problem is that the operation in the pblock holds
a pointer to the old DN address.  This can cause other plug-ins to
reference garbage, leading to incorrect results or crashes.  This
was causing the attribute uniqueness plug-in to not work correctly,
resulting in duplicate netgroup entries.

The fix is to have the UUID plug-in reset the target DN after
changing the DN of the entry to be added.

ticket 963
2011-02-17 21:36:50 -05:00
Simo Sorce
50318b60ee Fix duplicate OIDs
Apparently we forgot to check OID consistency between the schema and the
extensions, and we got duplicates.

Technically the schema was done later but it is easier to change the extensions
OIDs than to change the schema of current beta2/rc1 installations.

The only side effect is that older ipa-getkeytab and ipa-join binaries will
fail. So all the admin/client tools must be upgraded at the same time as well
as all the masters (otherwise some will show/accept the new OID while others
won't).

Fixes: https://fedorahosted.org/freeipa/ticket/976
2011-02-17 08:38:53 -05:00
Rob Crittenden
c9431749a0 Let 389-ds start up even if Kerboros is not configured yet.
The situation is if during installation /etc/krb5.conf either doesn't
exist or configures no realms then 389-ds won't start up at all, causing
the installation to fail. This will let the server start up in a degraded
mode.

Also need to make the sub_dict in ldapupdate.py handle no realm otherwise
the installation will abort enabling the compat plugin.

ticket 606
2011-02-14 14:07:17 -05:00
Simo Sorce
b46faf9dfc Correctly report if this is a krb related password operation
Fixes: https://fedorahosted.org/freeipa/ticket/949
2011-02-14 13:57:00 -05:00
Simo Sorce
5341a22ba2 Update krbExtraData too when changing passwords.
Fixes: https://fedorahosted.org/freeipa/ticket/937
2011-02-14 13:36:27 -05:00
Rob Crittenden
b77046d550 Disable replication version plugin by default.
The 389-ds replication plugin may not be installed on all platforms
and our replication version plugin will cause 389-ds to not start
if it is loaded and the replication plugin is not. So disable by
default.

When a replica is prepared we check for the replication plugin.
If it exists we will enable the replication version plugin.

Likewise on installation of a replica we check for existence of
the repliation plugin and if it is there then we enable the version
plugin before replication begins.

ticket 918
2011-02-10 13:54:39 -05:00
Rob Crittenden
cf9ec1c427 Update kerberos password policy values on LDAP binds.
On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth
and will potentially fail the bind altogether.

On a successful bind it will zero krbLoginFailedCount and set
krbLastSuccessfulAuth.

This will also enforce locked-out accounts.

See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
kerberos lockout.

ticket 343
2011-01-21 13:59:24 -05:00
Simo Sorce
a44607ecba Fix ipa_uuid to not interfer with proper error reporting
Fixes: https://fedorahosted.org/freeipa/ticket/813
2011-01-19 15:57:57 -05:00
Martin Kosek
bd965c92d8 Mozldap-specific code removed
Mozldap code removed from all sources and configure source script.
Now, IPA will compile even when package mozldap-devel is not
installed on the system.

https://fedorahosted.org/freeipa/ticket/756
2011-01-14 17:33:11 -05:00
Martin Kosek
63e70d052c Potential memory leaks in ipa-kpasswd
This patch fixes 2 situations where a pointer to allocated error
string could be overwritten - which could have resulted in
a memory leak.

https://fedorahosted.org/freeipa/ticket/716
2011-01-14 14:33:32 -05:00
Martin Kosek
c94d20cfd8 Unchecked return values in SLAPI plugins
Return values weren't checked in several cases which could
have lead to unhandled errors.

https://fedorahosted.org/freeipa/ticket/722
2011-01-14 14:20:57 -05:00
Martin Kosek
8173b8e375 Potential memory leaks in ipa-pwd-extop
This patch fixes several potential memory leaks in ipa-pwd-extop
SLAPI plugin.

Common function ipapwd_gen_hashes() now cleans after itself when
it fails. Other changes are local and self-explanatory.

https://fedorahosted.org/freeipa/ticket/715
2011-01-14 14:20:57 -05:00
Rob Crittenden
4da9228fb2 Drop dependency on mozldap 2011-01-12 17:41:53 -05:00
Martin Kosek
bea3999daf Potential NULL dereference in ipapwd_prepost
This patch increases robustness in PRE MOD password SLAPI module
by ensuring that an uninitialized pointer is not dereferenced.

https://fedorahosted.org/freeipa/ticket/719
2011-01-12 11:44:59 -05:00
Martin Kosek
d03ffeabe2 Unchecked return value of calloc
Omiting return value of calloc in ipa_pwd_extop.c could lead to
memory access issues when memory is full. This patch adds return
value check.

https://fedorahosted.org/freeipa/ticket/717
2011-01-12 11:44:08 -05:00
Martin Kosek
eba72c85e8 Uninitialized pointer read in ipa-enrollment
This patch fixes a situation where an uninitialized pointer
is passed to free().

https://fedorahosted.org/freeipa/ticket/713
2011-01-12 11:41:42 -05:00
Jakub Hrozek
8a9fdbfb03 Do not use LDAP_DEPRECATED in plugins
Remove the LDAP_DEPRECATED constant and do not use functions that are
marked as deprecated in recent OpenLDAP releases. Also always define
WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that
depend on that constant.

https://fedorahosted.org/freeipa/ticket/576
2011-01-07 05:00:44 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Simo Sorce
37f48c0019 Make use of mozldap vs openldap for plugins selectable 2010-12-06 12:23:09 -05:00
Jakub Hrozek
df28017eaf Init smods to prevent crash if encode_keys fails 2010-11-29 17:21:17 -05:00
Nalin Dahyabhai
b683c7261b build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches 2010-11-29 11:39:55 -05:00
Simo Sorce
aa70959f16 Fix modrdn plugin crash bug.
Constant values were assigned to variables gthat would later be freed
with slapi_ch_free_string(). Make copies instead so the free doesn't
blow. Also remove useless tests, as these functions already check for
NULL on their own.

Fixes: https://fedorahosted.org/freeipa/ticket/529
2010-11-23 11:40:38 -05:00
Jakub Hrozek
7086c9e863 Silence compilation warnings in SLAPI plugins
Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00
Jakub Hrozek
3b7a86024b Use internal implementation of internal Kerberos functions
Don't use KRB5_PRIVATE.

The patch implements and uses the following krb5 functions that are
otherwise private in recent MIT Kerberos releases:
 * krb5_principal2salt_norealm
 * krb5_free_ktypes

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00
Jakub Hrozek
ce75d1c6d6 Stricter compilation flags
Use a little stricter compilation flags, in particular -Wall and treat
implicit function declarations as errors.

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00
Jakub Hrozek
5da451876e Common include file for SLAPI plugin logging
Consolidate the common logging macros into common/util.h and use them
in SLAPI plugins instead of calling slapi_log_error() directly.

https://fedorahosted.org/freeipa/ticket/408

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00
Simo Sorce
23f03251e0 uuid plugin: convert the plugin to use the libuuid library
The DS guys decided not to expose the DS inetrnal functions used to generate
UUIDs for DS. This means the interface is not guaranteed to be available.
Switch the ipa_uuid plugin to use the system libuuid plugin instead.

NOTE: This causes once again a change in the tring format used for UUIDs.

fixes: https://fedorahosted.org/freeipa/ticket/465
2010-11-15 11:47:27 -05:00
Simo Sorce
7aae58fd2d uuid-plugin: Fix control access bug on replication
Fixes: https://fedorahosted.org/freeipa/ticket/468
2010-11-10 15:34:58 -05:00
Simo Sorce
4f8e4482b3 pwd-plugin: Always use a special salt by default.
This should make renamed users able to keep using old credentials as the salt
is not derived from the principal name but is always a random quantity.

https://fedorahosted.org/freeipa/ticket/412
2010-10-28 17:18:03 -04:00
Simo Sorce
79c39339da pwd-plugin: fix slapi log target in logging functions 2010-10-28 17:17:59 -04:00
Simo Sorce
1bfd0f8791 ipa_uuid: prevent false positives on modifies
If a modify operation does not specify our attribute then we need to short
circuit the loop, otherwise on enforcing we will return an error by mistake if
we are not Directory Manager because generate is false if the attr is not
found.
2010-10-28 07:58:31 -04:00
Simo Sorce
99a7f83c3c ipa_uuid: Handle generation of the uuid when it is a RDN 2010-10-28 07:58:31 -04:00
Simo Sorce
2a141bf2c1 ipa-uuid: Add enforce mode
By setting the enforce flag in the configuration we prevent anyone from storing
arbitrary values and allow only Directory Manager to override the plugin.
Users can only set the value to the magic value (usually 0) to have the uuid
regenerated, and nothing else.
2010-10-28 07:58:31 -04:00
Simo Sorce
7fc6dfbcac ipa-uuid: Code cleanups
Remove one level of indentation from the main function by jumping
to the end immediately if the configuration list is empty.
Other minor style cleanups.
2010-10-28 07:58:31 -04:00
Simo Sorce
1233a7aff3 ipa-uuid: safer unlock handling
This allows the code in the for loop to error out without worrying of
forgetting to unlock the config entries.
2010-10-28 07:58:31 -04:00
Simo Sorce
2d63522d48 ipa-uuid: Reset generate flag at every cycle
Avoid false positives if more than one uuid attribute is generated
in the same entry.
2010-10-28 07:58:31 -04:00
Simo Sorce
56724fa024 ipa-uuid: Remove unused functions 2010-10-28 07:58:31 -04:00
Simo Sorce
3f1293582f ipa-modrdn: Remove unused functions 2010-10-28 07:58:31 -04:00
Simo Sorce
984942ee49 Add new plugin used to modify related attributes after a modrdn operation. 2010-10-28 07:58:31 -04:00
Rob Crittenden
9afedcb683 Error out when configure finds missing dependencies
ticket 315
2010-10-26 15:39:43 -04:00
Simo Sorce
3a05149201 ipa-uuid: DNA-like plugin that generates uuids 2010-10-22 17:22:40 -04:00
Simo Sorce
0c6980bed6 Remove ipa-memberof, memberof plugin is now included in 389 DS 2010-10-15 18:05:56 -04:00
Simo Sorce
016f889a51 Improve logging facilities
Provide simplified logging macros that appropriately use __func__ __FILE__,
__LINE__, or the plugin name depending on the log level.
2010-10-07 11:23:51 -04:00
Simo Sorce
ec33e38e9a pwd-plugin: Fix unresolve symbol
This fixes a har crash when someone tries to fetch a keytab
2010-10-07 11:16:19 -04:00
Simo Sorce
475c064227 When dealing with samba password set also the sambaPwdLastSet
This attribute is required for samba to properly identify a user has changed
it's password and doesn't need to change it again at next login.

At the same time, if we are forcing a pssword reset we also need to let samba
know the user must change its password.
2010-10-07 07:53:36 -04:00
Simo Sorce
ceb91a3f71 Always detect openldap and mozldap at the same time
Slapi plugins must use mozldap because 389 ds is compiled against that.
ipa_kpasswd, instead, should be linked against openldap.
So always make sure both are available.
2010-10-07 07:53:36 -04:00
Simo Sorce
6682b63438 pwd-plugin: Remove the correct password from the history
We were mistakenly removeing the latest password from the passwordHistory
once the max history values were reached. Make sure we remove the oldest one
instead.
2010-10-05 08:54:08 -04:00
Simo Sorce
9cd0330e5d Fix ipapwd_start() style
Trun tabs into quartets of spaces. Fit lines to not exceed 80 columns.
2010-10-05 08:54:08 -04:00
Simo Sorce
c594ab88ba Add options to control NTLM hashes
By default LM hash is disabled.
Of course generation still depends on whether the SamAccount objectclass is
present in the user object.
2010-10-05 08:54:08 -04:00
Simo Sorce
19d3ba9733 pwd-plugin: format/style changes
Use __func__ in log functions instead of the explicit function name
so that if the function need to be renamed later logs reflect the
change automatically w/o the need to change all occurrences.

Also makes a grep for the function name less noisy avoiding tons of
false positives.
2010-10-05 08:52:43 -04:00
Simo Sorce
fea9181eaf pwd-plugin: Remove 14 chars limitation from the NT hash 2010-10-05 08:52:43 -04:00
Simo Sorce
3127df2aee Split ipa_pwd_extop plugin in multiple files
The plugin was getting difficult to read and maintain.
Split it (and apply cosmetic cleanups to some functions) in smaller
pieces that perform specific tasks.
2010-10-01 11:17:40 -04:00
Rob Crittenden
f20f4e6308 Fix for include problems relating to NSS3, NSPR4 and SVRCORE
This addresses some problems trying to build on non-Fedora/RHEL
distributions, notably Gentoo and Ubuntu/Debian.

Patch contributed by Ian Kumlien <pomac@vapor.com>
2010-09-16 13:48:53 -04:00
Rob Crittenden
d0740fb08b Enforce existence of 389-ds header files.
ticket #82
2010-08-06 15:33:49 -04:00
Rob Crittenden
97bd59d869 Include missing file from version plugin and update min version of 389-ds 2010-06-24 17:29:31 -04:00
Rob Crittenden
c5bdfc7193 Don't try to convert a host's password into a keytab.
The migration plugin uses a pre-op function to automatically create
kerberos credentials when binding using a password.

The problem is that we do a simple bind when doing password-base
host enrollment. This was causing krbPasswordExpiration to be set
which isn't what we want for hosts. They really shouldn't go through
this code at all.
2010-06-24 14:24:15 -04:00
Rob Crittenden
09fb073e82 Replication version checking.
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
2010-06-24 10:33:53 -04:00
Rob Crittenden
ba85312bf1 Don't require kerberos principal with the LDAP password change operation.
This was preventing ldappasswd from resetting a password.

471287
2010-04-23 15:22:28 -04:00
Rob Crittenden
c7f50ac7ef Return more specific errors when returning an LDAP_OPERATIONS_ERROR
472332
2010-04-23 15:22:24 -04:00
Pavel Zuna
00b2f240f7 Fix condition bug in ipa-pwd-extop plugin. Variable used uninitialized. 2010-02-04 11:09:59 -05:00
Pavel Zuna
ba0e7b9c68 Add BIND pre-op for DS->IPA password migration to ipa-pwd-extop DS plugin. 2010-01-20 16:53:51 -05:00
root
fd5742cc79 Allow adding entries with pre-hashed passwords, but don't generate keys for them.
Fix bug #528922.
2010-01-20 16:53:41 -05:00
Rob Crittenden
342337a893 No longer use the IPA-specific memberof plugin. Use the DS-supplied one. 2009-10-12 09:37:38 -04:00