freeipa/daemons/ipa-kdb
Sumit Bose 0ce3ab36b4 ipa-kdb: do not fail if certmap rule cannot be added
Currently if a certificate mapping and matching rule has a typo or is of
an unsupported type the whole rule processing is aborted and the IPA
certmap plugin works without any rules effectively disabling PKINIT for
users. Since each rule would only allow more certificates for PKINIT it
would be more user/admin friendly to just ignore the failed rules with a
log message and continue with what is left or use the default rule if
nothing is left.

This change is done to add more flexibility to define new mapping and
matching templates which are e.g. needed to cover changes planned by
Microsoft as explained in
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-07 17:02:43 +02:00
..
tests ipa-kdb: store SID in the principal entry 2021-11-10 15:00:27 -05:00
ipa_kdb_audit_as.c ipa-kdb: fix compiler warnings 2021-03-01 10:44:25 -05:00
ipa_kdb_certauth.c ipa-kdb: do not fail if certmap rule cannot be added 2022-10-07 17:02:43 +02:00
ipa_kdb_common.c ipa-kdb: handle dates up to 2106-02-07 06:28:16 2020-12-18 20:38:40 +02:00
ipa_kdb_delegation.c ipa-kdb: use entry DN to compare aliased entries in S4U operations 2021-11-10 15:00:27 -05:00
ipa_kdb_kdcpolicy.c ipa-kdb: avoid additional checks for a well-known anonymous principal 2022-05-30 12:12:44 +03:00
ipa_kdb_mkey.c ipa-kdb: Get/Store Master Key directly from LDAP 2011-08-26 08:24:49 -04:00
ipa_kdb_mspac_private.h ipa-kdb: refactor KDB driver to prepare for KDB version 9 2022-01-24 17:38:24 -05:00
ipa_kdb_mspac_v6.c ipa-kdb: refactor KDB driver to prepare for KDB version 9 2022-01-24 17:38:24 -05:00
ipa_kdb_mspac_v9.c ipa-kdb: refactor KDB driver to prepare for KDB version 9 2022-01-24 17:38:24 -05:00
ipa_kdb_mspac.c ipa-kdb: refactor KDB driver to prepare for KDB version 9 2022-01-24 17:38:24 -05:00
ipa_kdb_passwords.c Add missing break statement to password quality switch 2021-01-15 10:01:28 +01:00
ipa_kdb_principals.c ipa-kdb: apply per-indicator settings from inherited ticket policy 2022-05-25 08:08:36 +03:00
ipa_kdb_pwdpolicy.c ipa-kdb: fix compiler warnings 2021-03-01 10:44:25 -05:00
ipa_kdb.c If the password auth type is enabled also enable the hardened policy 2022-05-25 08:08:36 +03:00
ipa_kdb.exports Add a skeleton kdcpolicy plugin 2019-09-10 12:33:21 +03:00
ipa_kdb.h KDB: support external IdP configuration 2022-05-10 15:52:41 +03:00
ipa-print-pac.c Fix use of comparison functions to avoid GCC bug 95189 2021-11-23 10:31:34 +01:00
Makefile.am ipa-kdb: fix make check 2022-03-29 14:01:29 -04:00
README Make the coding style explicit 2020-01-15 10:00:08 +01:00
README.s4u2proxy.txt Fix s4u2proxy README and add warning 2015-06-08 14:37:29 -04:00

This is the ipa krb5kdc database backend.

As the KDB interfaces heavily with krb5, we inherit its code style as well.
However, note the following changes:

- no modelines (and different file preamble)
- return types don't require their own line
- single-statement blocks may optionally be braced
- /* and */ do not ever get their own line
- C99 for-loops are permitted (and encouraged)
- a restricted set of other C99 features are permitted

In particular, variable-length arrays, flexible array members, compound
literals, universal character names, and //-style comments are not permitted.

Use of regular malloc/free is preferred over talloc for new code.

By and large, existing code mostly conforms to these requirements.  New code
must conform to them.