freeipa/daemons/ipa-slapi-plugins
Alexander Bokovoy 5638bdcb85 ipa-pwd-extop: allow ipasam to request RC4-HMAC in Kerberos keys for trusted domain objects
This is a problem since we added commit b5fbbd1 in 2019. Its logic
allowed to add RC4-HMAC keys for cifs/.. service principal but it didn't
account for the case when cifs/.. principal initiates the request.

Since ipasam only uses GETKEYTAB control, provide this extension only
here and don't allow the same for SETKEYTAB. At the point of check for
the bind DN, we already have verified that the DN is allowed to write to
the krbPrincipalKey attribute so there is no leap of faith to 'any
cifs/... principal' here.

A principal must be member of cn=adtrust
agents,cn=sysaccounts,cn=etc,$SUFFIX to allow perform this operation

Fixes: https://pagure.io/freeipa/issue/9134

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-04-13 18:37:12 +02:00
..
common Migrate from #ifndef guards to #pragma once 2016-05-29 14:04:45 +02:00
ipa-cldap ipa_cldap: fix memory leak 2022-02-11 13:31:34 +02:00
ipa-dns slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-enrollment slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-extdom-extop extdom: user getorigby{user|group}name if available 2022-03-16 11:08:39 +02:00
ipa-lockout slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-modrdn slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-otp-counter slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-otp-lasttoken User must not be able to delete his last active otp token 2018-02-15 14:10:48 +01:00
ipa-pwd-extop ipa-pwd-extop: allow ipasam to request RC4-HMAC in Kerberos keys for trusted domain objects 2022-04-13 18:37:12 +02:00
ipa-range-check slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-sidgen ipa-sidgen: make internal fetch_attr helper really internal 2018-12-14 14:04:02 +01:00
ipa-uuid 389-ds-base crashed as part of ipa-server-intall in ipa-uuid 2017-11-08 08:06:35 +01:00
ipa-version ds: Support renaming of a replication plugin in 389-ds 2021-06-01 17:09:28 +03:00
ipa-winsync Fix use of comparison functions to avoid GCC bug 95189 2021-11-23 10:31:34 +01:00
libotp Fix compiler warnings in libotp 2020-09-26 10:43:42 +03:00
topology Fix use of comparison functions to avoid GCC bug 95189 2021-11-23 10:31:34 +01:00
Makefile.am Build: remove incorrect use of MAINTAINERCLEANFILES 2016-11-16 09:12:07 +01:00
README Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00