summaryrefslogtreecommitdiff
path: root/server/providers/krb5
AgeCommit message (Collapse)AuthorFilesLines
2010-01-11Fix return value when offline and TGT is validSumit Bose1-1/+1
Fixes CVE-2010-0014
2010-01-05Return an error for an unknown PAM requestSumit Bose1-6/+18
2009-12-18Do not blindly accept zero-length passwordsStephen Gallagher2-8/+17
2009-12-18Fix ldap child memory hierarchy and other issuesSimo Sorce2-63/+97
The timeout handler was not a child of the request so it could fire even though the request was already freed. The code wouldn't use async writes to the children so it could incur in a short write with no way to detect or recover from it. Also fixed style of some helper functions to pass explicit paramters instead of a general structure. Add common code to do async writes to pipes. Fixed async write issue for the krb5_child as well. Fix also sdap_kinit_done(), a return statement was missing and we were mixing SDAP_AUTH and errno return codes in state->result Remove usless helper function that just replicates talloc_strndup()
2009-12-18Fix for #344Sumit Bose1-13/+11
Do not handle a missing ccache file as inactive by default, check if there are still active processes of the user.
2009-12-18Do not overwrite valid TGTs when offlineSumit Bose2-42/+88
2009-12-18Handle chauthtok with PAM_PRELIM_CHECK separatelySumit Bose2-13/+37
If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we generate a separate call to the sssd to validate the old password before asking for a new password and sending the change password request.
2009-12-15Don't consider one address with different port numbers as the sameMartin Nagy1-1/+3
There were two problems with the code. We were using fo_set_server_status() instead of fo_set_port_status() when we failed to connect to a service. This is a problem because if two services use the same server, or we want to use one server with two different ports, marking the whole server as bad is incorrect. The other problem was that be_resolve_server_done() was comparing the hostent structures -- these are, however, equal across multiple server:port pairs with the same server addresses. Fixes: #321
2009-12-10Consolidate code for splitting strings by separatorJakub Hrozek1-5/+3
There were two functions for parsing strings by a separator. This patch consolidates on the one previously used in confdb. This also allows stripping the tokens of whitespace. Fixes: #319
2009-12-09Reduce code duplication between LDAP child and Kerberos childJakub Hrozek1-116/+7
Fixes: #294
2009-12-08Add dummy credentials to an empty ccache fileSumit Bose1-2/+54
Application like krb5-auth-dialog might get confused if there is a credential cache file without any credentials in it. This patch adds an expired credential where only the client and the server principal are set. The client principal is the user's principal and the server principal corresponds to a TGT principal of the realm the user belongs to.
2009-12-01Immediately return a krb5 change password request when offlineSumit Bose1-0/+7
2009-11-25Remove unneeded debugging codeSumit Bose1-9/+0
2009-11-25Fix an internal error when cache_credentials=FALSESumit Bose1-1/+4
2009-11-25Split helpers for child processesJakub Hrozek4-173/+4
Moves several functions out of providers/krb5 hierarchy into a separate module so it can be shared by the ldap child.
2009-11-23Read KDC info from file instead from environmentSumit Bose5-30/+323
Then name or IP adress of the KDC is written into the pubconf directory into a file named kdcinfo.REALM. The locator plugin will then read this file and pass the data to the kerberos libraries.
2009-11-20Add initial failover support for ldap and ipaSimo Sorce3-2/+9
The retun values are still not directly used with ldap libraries that still do their own name resolution, but this patch introduces a very basic framework to have a multiple providers in one domain use and share a single failover service if they want to.
2009-11-20Add ipa_authSumit Bose1-0/+3
To support IPA DS to Kerberos password migration a seperate authentication target is added. It calls the Kerberos authentication target and in the case of a 'Preauthentication Error' the LDAP authentication target. On success the Kerberos target is called again to request the TGT.
2009-11-20Improve handling of ccache filesSumit Bose3-202/+597
- save current ccache file to sysdb - use the saved ccache file if the user has running processes - create an empty ccache if offline - return enviroment variables if offline
2009-11-20Validate Kerberos credentials with local keytabSumit Bose6-39/+250
2009-11-13Fix option name krb5_changepw_principalSumit Bose1-1/+1
2009-11-12Fix inconsistent use of krb5_ccname_templateSumit Bose1-1/+1
2009-11-10Simplify krb5 child handlerSumit Bose1-17/+18
Currently the Kerberos child handler evaluates the siginfo_t structure to wait for a specific child. This scheme is prone to error, especially when there are more than one child process active, and can produce missleading debug message. This patch simplifies the scheme as it waits for any child.
2009-11-09Fix tevent_req error checking.Simo Sorce1-23/+20
When possible using a macro that correctly deals with tstate
2009-11-06Check is ccache structure is initialized before calling krb5_cc_destroySumit Bose1-8/+16
2009-11-05add replacements for missing Kerberos callsSumit Bose3-38/+9
2009-10-22update krb5 option handling to new option schemeSumit Bose7-125/+273
2009-10-16Move all krb5 provider init functionsSimo Sorce4-193/+261
Put all init functions in their own file so that the other files can be reused in other providers w/o having them in the way.
2009-10-15enable debugging of krb5_childSumit Bose3-4/+142
2009-10-15Return the dp error from the providersSimo Sorce1-16/+30
2009-10-12fix a wrong argument to unpack_bufferSumit Bose1-18/+40
- the patch to handle short read introduced a new variable len to store the amount of data read. Instead of using this variable unpack_buffer was called with the old variable ret. Thanks to mnagy@redhat.com for finding this. - this patch also fixes a potential error when the message size is equal to the buffer size.
2009-10-09use the correct kerberos context for each targetSumit Bose1-4/+33
- when the kerberos provider was used as a chpass_provider but not as auth_provider the backend died
2009-10-05handle expired password during authenticationSumit Bose1-2/+25
2009-09-25remove krb5_try_simple_upn option and make it a default fallbackSumit Bose2-9/+1
2009-09-25fix possible short reads in kerberos providerSumit Bose2-15/+46
2009-09-25Upgrade confdb to version 2Stephen Gallagher1-7/+10
This converts a great many configuration options to the new standard format.
2009-09-24added support for older MIT kerberos versionssbose3-7/+37
- make the build of the locator plugin optional - added a man page for the locator plugin - use krb5.h if krb5/krb5.h cannot be found - added alternatives for missing functions - set -DDBUS_API_SUBJECT_TO_CHANGE if libdbus version is lesser than 1.0.0
2009-09-23Revert "Use syslog for logging error conditions in SSSD"Stephen Gallagher1-2/+2
This reverts commit 8c50bd085c0efe5fde354deee2c8118887aae29d. Amended: commit 1016af2b1b97ad4290ccce8fa462cc7e3c191b2e also made use of the SYSLOG_ERROR() macro, so those portions of that code also needed to be reverted.
2009-09-21Use syslog for logging error conditions in SSSDJakub Hrozek1-2/+2
This is just a band-aid until ELAPI is fully functional and ready to use.
2009-09-14added child timeout handlerSumit Bose2-6/+90
2009-09-14fix the wrong usage of an offsetSumit Bose1-1/+1
2009-09-14add krb5ccache_dir and krb5ccname_template optionSumit Bose5-50/+356
The configuration options krb5ccache_dir and krb5ccname_template are added to the Kerberos provider to create the user's credential caches the same way as pam_krb5 does. Due to the design of the sssd and the supported ccache types of MIT Kerberos only files are allowed.
2009-09-14Make the offline status backend-globalSimo Sorce1-4/+13
Add helpers functions to query/set the offline status per backend. Now all providers share the same offline status.
2009-09-11use fork+exec for kerberos helperSumit Bose3-193/+463
2009-09-11add change password target to krb5 backendSumit Bose4-207/+447
2009-08-28send SSSD_REALM and SSSD_KDCIP environment to the clientSumit Bose1-2/+31
Currently the kerberos locator plugin needs these two variables to be set to find a KDC which is configured in sssd but not in /etc/krb5.conf.
2009-08-24some UPN handling fixesSumit Bose2-23/+12
- making the realm part upper case is now optional and done in the LDAP backend - using a username@realm UPN is now optional
2009-08-21use stored upn if availableSumit Bose1-20/+101
If a user principle name (upn) can be found in sysdb the krb5 backend will use this otherwise is build as username@realm. It is checked that the realm is upper case only.
2009-08-11Make socket paths a compile-time optionStephen Gallagher1-1/+0
Previously, we had hardcoded the paths for the NSS, PAM and private PAM sockets to /var/lib/sss/pipes. With this patch, we will specify the sockets with --with-pipe-path.
2009-08-05Consolidate tevent helpersJakub Hrozek1-16/+0