freeipa

mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00

Files

Alexander Bokovoy 8b6d1ab854 ipa-kdb: support subordinate/superior UPN suffixes

[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
trusted domain information in Active Directory to conform certain rules.
One side-effect of those rules is that list of UPN suffixes reported
through the netr_DsRGetForestTrustInformation function is dynamically
filtered to deduplicate subordinate suffixes.

It means that if list of UPN suffixes contains the following top level
names (TLNs):

  fabrikam.com
  sub.fabrikam.com

then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
as the TLN, fully filtering 'sub.fabrikam.com'.

IPA KDB driver used exact comparison of the UPN suffixes so any
subordinate had to be specified exactly.

Modify logic so that if exact check does not succeed, we validate a
realm to test being a subordinate of the known UPN suffixes. The
subordinate check is done by making sure UPN suffix is at the end of the
test realm and is immediately preceded with a dot.

Because the function to check suffixes potentially called for every
Kerberos principal, precalculate and cache length for each UPN suffix at
the time we retrieve the list of them.

Fixes: https://pagure.io/freeipa/issue/8554

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>

2020-10-26 15:55:02 -04:00

tests

Terminology improvements: use block list

2020-06-23 10:16:29 +02:00

ipa_kdb_audit_as.c

kdb: make sure audit_as_req callback signature change is preserved

2020-02-17 16:03:11 +02:00

ipa_kdb_certauth.c

Handle the removal of KRB5_KDB_FLAG_ALIAS_OK

2020-01-31 14:36:31 +01:00

ipa_kdb_common.c

ipa-kdb: reduce LDAP operations timeout to 30 seconds

2018-11-16 16:54:38 -05:00

ipa_kdb_delegation.c

ipa-kdb: fix delegation acl check

2012-02-28 13:03:22 -05:00

ipa_kdb_kdcpolicy.c

Handle the removal of KRB5_KDB_FLAG_ALIAS_OK

2020-01-31 14:36:31 +01:00

ipa_kdb_mkey.c

ipa-kdb: Get/Store Master Key directly from LDAP

2011-08-26 08:24:49 -04:00

ipa_kdb_mspac_private.h

ipa-kdb: support subordinate/superior UPN suffixes

2020-10-26 15:55:02 -04:00

ipa_kdb_mspac.c

ipa-kdb: support subordinate/superior UPN suffixes

2020-10-26 15:55:02 -04:00

ipa_kdb_passwords.c

Pass the user to the password policy check in the kdb driver

2020-10-23 09:32:52 -04:00

ipa_kdb_principals.c

Pass the user to the password policy check in the kdb driver

2020-10-23 09:32:52 -04:00

ipa_kdb_pwdpolicy.c

Pass the user to the password policy check in the kdb driver

2020-10-23 09:32:52 -04:00

ipa_kdb.c

Easier to use ipa_gethostfqdn()

2020-10-26 17:11:19 +11:00

ipa_kdb.exports

Add a skeleton kdcpolicy plugin

2019-09-10 12:33:21 +03:00

ipa_kdb.h

Easier to use ipa_gethostfqdn()

2020-10-26 17:11:19 +11:00

ipa-print-pac.c

ipa-print-pac: acquire and print PAC record for a user

2020-05-27 17:57:39 +03:00

Makefile.am

libotp: Replace NSS with OpenSSL HMAC

2020-06-08 20:04:18 +03:00

README

Make the coding style explicit

2020-01-15 10:00:08 +01:00

README.s4u2proxy.txt

Fix s4u2proxy README and add warning

2015-06-08 14:37:29 -04:00

README

This is the ipa krb5kdc database backend.

As the KDB interfaces heavily with krb5, we inherit its code style as well.
However, note the following changes:

- no modelines (and different file preamble)
- return types don't require their own line
- single-statement blocks may optionally be braced
- /* and */ do not ever get their own line
- C99 for-loops are permitted (and encouraged)
- a restricted set of other C99 features are permitted

In particular, variable-length arrays, flexible array members, compound
literals, universal character names, and //-style comments are not permitted.

Use of regular malloc/free is preferred over talloc for new code.

By and large, existing code mostly conforms to these requirements.  New code
must conform to them.