Commit Graph

7877 Commits

Author SHA1 Message Date
Nathaniel McCallum
a601daa011 Ensure that a password exists after OTP validation
Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.

This patch resolves CVE-2014-7828.

https://fedorahosted.org/freeipa/ticket/4690

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-06 10:56:19 +01:00
Martin Basti
5d65a2a305 Fix upgrade: do not use invalid ldap connection
Ticket: https://fedorahosted.org/freeipa/ticket/4670
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-06 10:45:16 +01:00
David Kupka
25abb1154b Stop dirsrv last in ipactl stop.
Other services may depend on directory server.

https://fedorahosted.org/freeipa/ticket/4632

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-06 10:43:11 +01:00
Thierry bordaz (tbordaz)
f0bcf2b295 Deadlock in schema compat plugin (between automember_update_membership task and dse update)
Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the
	default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks.
	Schema plugin needs to scope the $SUFFIX and also any updates to its configuration.
	This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees
	that would be too long for cn=config (tasks, mapping tree, replication, snmp..)

https://fedorahosted.org/freeipa/ticket/4635

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-06 09:38:45 +01:00
Jan Cholasta
1cc27f9c68 Fix various bugs in ipap11helper
Fixes a memory leak, a library handle leak and a double free.

Also remove some redundant NULL checks before free to prevent false positives
in static code analysis.

https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-05 15:28:27 +01:00
Jan Cholasta
100262f70a Fix memory leaks in ipa-join
Also remove dead code in ipa-join and add initializer to a variable in
ipa-getkeytab to prevent false positives in static code analysis.

https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-05 15:28:27 +01:00
Jan Cholasta
e2d47cb638 Fix memory leak in ipa-pwd-extop
Also remove dead code and explicitly mark an ignored return value to prevent
false positives in static code analysis.

https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-05 15:28:27 +01:00
Jan Cholasta
2d357a312f Fix various bugs in ipa-opt-counter and ipa-otp-lasttoken
Fixes a wrong sizeof argument and unchecked return values.

https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-05 15:28:27 +01:00
Jan Cholasta
56d832912f Fix memory leaks in ipa-extdom-extop
https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-05 15:28:27 +01:00
Jan Cholasta
04a6f712e4 Fix possible NULL dereference in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-05 15:28:27 +01:00
Jan Cholasta
59af17d5e4 Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage
This should not normally happen, but if it does, report an error instead of
waiting idefinitely for the certificate to appear.

https://fedorahosted.org/freeipa/ticket/4629

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-05 15:26:42 +01:00
David Kupka
71c24b187a Respect UID and GID soft static allocation.
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation

https://fedorahosted.org/freeipa/ticket/4585

Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-11-05 15:22:51 +01:00
Martin Basti
49a73e1d6b Fix CI tests: install_adtrust
IPA uses both named and named-pkcs11 service.
If named is masked use named-pkcs11, instead of raising exception

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-11-04 16:23:41 +01:00
Martin Basti
a21443168e Add bind-dyndb-ldap working dir to IPA specfile
https://fedorahosted.org/freeipa/ticket/4657#comment:6

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-10-31 15:04:53 +01:00
Jan Cholasta
1b940d39f3 Do not wait for new CA certificate to appear in LDAP in ipa-certupdate
If new certificate is not available, reuse the old one, instead of waiting
indefinitely for the new certificate to appear.

https://fedorahosted.org/freeipa/ticket/4628

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-30 10:51:36 +01:00
Jan Cholasta
2ee248bd7e Handle profile changes in dogtag-ipa-ca-renew-agent
To update the CA certificate in the Dogtag NSS database, the
"ipa-cacert-manage renew" and "ipa-certupdate" commands temporarily change
the profile of the CA certificate certmonger request, resubmit it and
change the profile back to the original one.

When something goes wrong while resubmitting the request, it needs to be
modified and resubmitted again manually. This might fail with invalid
cookie error, because changing the profile does not change the internal
state of the request.

Detect this in dogtag-ipa-ca-renew-agent and reset the internal state when
profile is changed.

https://fedorahosted.org/freeipa/ticket/4627

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-29 15:06:05 +01:00
Petr Spacek
4e42d17130 Fix zone name to directory name conversion in BINDMgr.
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-10-29 15:02:08 +01:00
Martin Basti
75cdc50ba9 Fix dns zonemgr validation regression
https://fedorahosted.org/freeipa/ticket/4663

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-27 15:55:34 +01:00
Alexander Bokovoy
47ab6351f1 Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides
https://fedorahosted.org/freeipa/ticket/4664

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-24 15:54:43 +02:00
Jan Cholasta
e22cf5bafc Do not check if port 8443 is available in step 2 of external CA install
The port is never available in step 2 of external CA install, as Dogtag is
already running.

https://fedorahosted.org/freeipa/ticket/4660

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-22 14:20:27 +02:00
Petr Vobornik
1300f82b9c build: increase java stack size for all arches
Gradually new arches which need a bigger stack size for web ui build appear. It's safer to increase the stack size for every architecture and avoid possible future issues.

Reason: build fail on armv7hl
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-22 13:55:28 +02:00
Petr Vobornik
5bcaea7e61 Become IPA 4.1.0 2014-10-21 16:08:54 +02:00
Martin Basti
04816e7654 fix forwarder validation errors
Fix tests, validation in dnsconfig mod, wuser warning

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-10-21 15:55:09 +02:00
Alexander Bokovoy
77b5a81da8 Default to use TLSv1.0 and TLSv1.1 on the IPA server side
We only will be changing the setting on the install.
For modifying existing configurations please follow instructions
at https://access.redhat.com/solutions/1232413

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-21 15:54:02 +02:00
Martin Basti
27290bf32d fix DNSSEC restore named state
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-10-21 15:52:47 +02:00
Alexander Bokovoy
2bc287479e updater: enable uid uniqueness plugin for posixAccounts
https://fedorahosted.org/freeipa/ticket/4636

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-21 13:46:55 +02:00
Jan Cholasta
98100feb4e DNSSEC: remove container_dnssec_keys
Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-10-21 12:22:18 +02:00
Martin Basti
b84fc92fd7 DNSSEC: change link to ipa page
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Martin Basti
bcb1e91a19 DNSSEC: add files to backup
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Petr Spacek
dc5b3af72a DNSSEC: add ipa dnssec daemons
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Martin Basti
4ddc978cea DNSSEC: ACI
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Martin Basti
d254bcb146 DNSSEC: upgrading
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Martin Basti
45353245dd DNSSEC: uninstallation
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Martin Basti
877fedf6e4 DNSSEC: installation
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Martin Basti
cc50112f79 DNSSEC: modify named service to support dnssec
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Martin Basti
f01acf8e53 DNSSEC: validate forwarders
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Martin Basti
9af49ff97f DNSSEC: platform paths and services
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Martin Basti
abf4418c46 DNSSEC: opendnssec services
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Martin Basti
52acc54f9e DNSSEC: DNS key synchronization daemon
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Martin Basti
3c7bc2a4fd DNSSEC: add ipapk11helper module
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Martin Basti
3f0440f195 DNSSEC: schema
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Martin Basti
82961a03af DNSSEC: dependencies
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Martin Basti
f31f5f5344 Add mask, unmask methods for service
This patch allows mask and unmask services in IPA

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:18:55 +02:00
Tomas Babej
d969f73ed5 spec: Bump SSSD requires to 1.12.2
https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-21 10:34:03 +02:00
Petr Vobornik
9053673342 webui: update combobox input on list click
Change event of combobox is not triggered when there is only one value. Calling it's handler even for option's 'click' event makes sure that value of input gets always updated.

https://fedorahosted.org/freeipa/ticket/4655

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-10-21 10:32:46 +02:00
Petr Vobornik
d3de9c0ca1 webui: do not show closed dialog
Fixes issues when dialog is not removed from `IPA.opened_dialogs` registry when dialog.close() is called while the dialog is not shown, i.e., while other dialog is shown. Without it, the dialog is could be incorrectly displayed.

New dialog's property `opened` handles whether dialog is intended to be opened.

How to test:

Add new host with IP address outside of managed reverse zones to get error 4304.

https://fedorahosted.org/freeipa/ticket/4656

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-10-21 10:29:53 +02:00
Sumit Bose
99b10e5067 extdom: remove unused dependency to libsss_idmap
https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2014-10-21 10:17:54 +02:00
Sumit Bose
85f229d06d extdom: add support for sss_nss_getorigbyname()
https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2014-10-21 10:17:54 +02:00
Alexander Bokovoy
8629f17efc Change ipaOverrideTarget OID to avoid conflict with DNSSEC feature 2014-10-21 10:48:08 +03:00
Martin Basti
1b7bc35b03 Remove ipaContainer, ipaOrderedContainer objectclass
https://fedorahosted.org/freeipa/ticket/4646

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-20 16:58:16 +02:00