IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
9,367 Commits 11 Branches 60 Tags 60 MiB
Python 75.7%
JavaScript 10.9%
C 10.8%
Roff 1.1%
Makefile 0.4%
Other 1.1%
168a6c7d47
Go to file
Nathaniel McCallum 168a6c7d47 Ensure that ipa-otpd bind auths validate an OTP 
Before this patch, if the user was configured for either OTP or password
it was possible to do a 1FA authentication through ipa-otpd. Because this
correctly respected the configuration, it is not a security error.

However, once we begin to insert authentication indicators into the
Kerberos tickets, we cannot allow 1FA authentications through this
code path. Otherwise the ticket would contain a 2FA indicator when
only 1FA was actually performed.

To solve this problem, we have ipa-otpd send a critical control during
the bind operation which informs the LDAP server that it *MUST* validate
an OTP token for authentication to be successful. Next, we implement
support for this control in the ipa-pwd-extop plugin. The end result is
that the bind operation will always fail if the control is present and
no OTP is validated.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-26 18:47:05 +02:00
asn1 CONFIGURE: Replace obsolete macros 2016-03-08 20:02:27 +01:00
checks Remove unused imports 2015-12-23 07:59:22 +01:00
client Remove deprecated hostname restoration from Fedora18 2016-04-26 14:01:42 +02:00
contrib Modernize mod_nss's cipher suites 2016-02-11 10:44:29 +01:00
daemons Ensure that ipa-otpd bind auths validate an OTP 2016-05-26 18:47:05 +02:00
doc Use print_function future definition wherever print() is used 2016-01-20 11:59:21 +01:00
init Configure httpd service from installer instead of directly from RPM 2016-04-22 10:19:25 +02:00
install ipa-nis-manage: add status option 2016-05-24 10:17:02 +02:00
ipaclient build: fix client-only build 2016-05-19 15:52:06 +02:00
ipalib Remove unused variables in automount plugin 2016-05-26 11:30:20 +02:00
ipaplatform Tasks: raise NotImplementedError for not implemented methods 2016-04-26 14:01:42 +02:00
ipapython Remove unused variable and finally block in SchemaCache 2016-05-12 11:18:40 +02:00
ipaserver Upgrade: always start CA 2016-05-25 17:19:56 +02:00
ipatests frontend: merge baseldap.CallbackRegistry into Command 2016-05-25 16:06:26 +02:00
util Add compatibility function for older libkrb5 2015-05-30 12:24:15 -04:00
.gitignore Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts) 2016-01-27 12:09:02 +01:00
.mailmap Update Contributors.txt 2015-12-02 12:31:54 +01:00
ACI.txt idviews: Add user certificate attribute to user ID overrides 2016-05-06 07:12:01 +02:00
API.txt vault: copy arguments of client commands from server counterparts 2016-05-25 16:06:26 +02:00
autogen.sh build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches 2010-11-29 11:39:55 -05:00
BUILD.txt BUILD: Remove detection of libcheck 2016-04-22 13:21:26 +02:00
Contributors.txt Update Contributors.txt 2015-12-02 12:31:54 +01:00
COPYING Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
COPYING.openssl Add a clear OpenSSL exception. 2015-02-23 16:25:54 +01:00
freeipa.spec.in build: fix client-only build 2016-05-19 15:52:06 +02:00
ipa Switch /usr/bin/ipa to Python 3 2016-05-06 16:17:28 +02:00
ipa.1 Updated ipa command man page 2016-05-03 17:41:19 +02:00
lite-server.py Port from python-krbV to python-gssapi 2015-08-26 09:41:36 +02:00
make-doc Make an ipa-tests package 2013-06-17 19:22:50 +02:00
make-test Switch make-test to pytest 2014-11-21 12:14:44 +01:00
makeaci makeaci: load additional plugins using API.add_module 2016-05-25 16:06:26 +02:00
makeapi ipalib: remove the unused csv argument of Param 2016-05-25 16:06:26 +02:00
Makefile build: fix client-only build 2016-05-19 15:52:06 +02:00
MANIFEST.in Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
pylint_plugins.py ipalib: remove the unused csv argument of Param 2016-05-25 16:06:26 +02:00
pylintrc pylint: replace Refactor category with individual check names 2016-05-20 14:39:05 +02:00
pytest.ini Configure pytest to run doctests 2014-11-21 12:14:44 +01:00
README Update README and BUILD 2014-02-12 14:04:07 +01:00
setup.py build: fix client-only build 2016-05-19 15:52:06 +02:00
VERSION vault: copy arguments of client commands from server counterparts 2016-05-25 16:06:26 +02:00
version.m4.in Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
zanata.xml l10n: Add configuration file for Zanata 2015-07-07 12:07:15 +02:00

README 

                               IPA Server

  Overview
  --------

  FreeIPA allows Linux administrators to centrally manage identity,
  authentication and access control aspects of Linux and UNIX systems
  by providing simple to install and use command line and web based
  managment tools.
  FreeIPA is built on top of well known Open Source components and standard
  protocols with a very strong focus on ease of management and automation
  of installation and configuration tasks.
  FreeIPA can seamlessly integrate into an Active Directory environment via
  cross-realm Kerberos trust or user synchronization.

  Benefits
  --------

  FreeIPA:
  * Allows all your users to access all the machines with the same credentials
    and security settings
  * Allows users to access personal files transparently from any machine in
    an authenticated and secure way
  * Uses an advanced grouping mechanism to restrict network access to services
    and files only to specific users
  * Allows central management of security mechanisms like passwords,
    SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
  * Enables delegation of selected administrative tasks to other power users
  * Integrates into Active Directory environments

  Components
  ----------

  The FreeIPA project provides unified installation and management
  tools for the following components:

  * LDAP Server - based on the 389 project (LDAP)
    http://directory.fedoraproject.org/wiki/Main_Page

  * KDC - based on MIT Kerberos implementation
    http://k5wiki.kerberos.org/wiki/Main_Page

  * PKI based on Dogtag project
    http://pki.fedoraproject.org/wiki/PKI_Main_Page

  * Samba libraries for Active Directory integration
    http://www.samba.org/

  * DNS Server based on BIND and the Bind-DynDB-LDAP plugin
    https://www.isc.org/software/bind
    https://fedorahosted.org/bind-dyndb-ldap


  Project Website
  ---------------

  Releases, announcements and other information can be found on the IPA
  server project page at <http://www.freeipa.org/>.

  Documentation
  -------------

  The most up-to-date documentation can be found at
  <http://freeipa.org/page/Documentation>.

  Quick Start
  -----------

  To get started quickly, start here:
  <http://www.freeipa.org/page/Quick_Start_Guide>

  Licensing
  ---------

  Please see the file called COPYING.

  Contacts
  --------

     * If you want to be informed about new code releases, bug fixes,
       security fixes, general news and information about the IPA server
       subscribe to the freeipa-announce mailing list at
       <https://www.redhat.com/mailman/listinfo/freeipa-interest/>.

     * If you have a bug report please submit it at:
       <https://bugzilla.redhat.com>

     * If you want to participate in actively developing IPA please
       subscribe to the freeipa-devel mailing list at
       <https://www.redhat.com/mailman/listinfo/freeipa-devel/> or join
       us in IRC at irc://irc.freenode.net/freeipa