Re: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed
On Wed, 27 Oct 2010 22:25:26 -0400 Rob Crittenden rcrit...@redhat.com wrote: Simo Sorce wrote: This plugin intercepts a modrdn change so that when a user is renamed the krbprincipalname is changhed accordingly. The second patch activates the plugin. Simo. ack x2 rob pushed to master -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed
Simo Sorce wrote: This plugin intercepts a modrdn change so that when a user is renamed the krbprincipalname is changhed accordingly. The second patch activates the plugin. Simo. ack x2 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed
On Mon, 25 Oct 2010 20:27:04 -0400 Nalin Dahyabhai na...@redhat.com wrote: On Mon, Oct 25, 2010 at 06:59:18PM -0400, Simo Sorce wrote: I was meaning to ask you if we have any other way around. Is it possible to use a random salt instead of the principal name ? We do enforce pre-authentication by default, so IIRC it should be possible, but it doesn't seem to make any difference atm, I guess we need to change something in the password plugin ? If the salt stored in the user's key is marked as special instead of normal, the KDC should just send the recorded salt to the client. It looks like encrypt_encode_key() needs to generate and store a random salt when it sees that salt type in the configuration, and we need to start configuring IPA to use that. I'll open a bug with this comment in it. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed
Simo Sorce wrote: On Fri, 22 Oct 2010 17:46:55 -0400 Rob Crittendenrcrit...@redhat.com wrote: Simo Sorce wrote: This plugin intercepts a modrdn change so that when a user is renamed the krbprincipalname is changhed accordingly. The second patch activates the plugin. Simo. Should ipaModRDNscope be set to the user container instead of $SUFFIX? rob Good question, I was tempted but then I thought the filter was enough. I am open to changing it if you feel strongly, though. Simo. Is this going to find users from the compat plugin? If not then it is ok as-is. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed
On Mon, 25 Oct 2010 10:39:06 -0400 Rob Crittenden rcrit...@redhat.com wrote: Simo Sorce wrote: On Fri, 22 Oct 2010 17:46:55 -0400 Rob Crittendenrcrit...@redhat.com wrote: Simo Sorce wrote: This plugin intercepts a modrdn change so that when a user is renamed the krbprincipalname is changhed accordingly. The second patch activates the plugin. Simo. Should ipaModRDNscope be set to the user container instead of $SUFFIX? rob Good question, I was tempted but then I thought the filter was enough. I am open to changing it if you feel strongly, though. Simo. Is this going to find users from the compat plugin? If not then it is ok as-is. Can you do a modrdn modification on a compat plugin entry ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed
Simo Sorce wrote: On Mon, 25 Oct 2010 10:39:06 -0400 Rob Crittendenrcrit...@redhat.com wrote: Simo Sorce wrote: On Fri, 22 Oct 2010 17:46:55 -0400 Rob Crittendenrcrit...@redhat.com wrote: Simo Sorce wrote: This plugin intercepts a modrdn change so that when a user is renamed the krbprincipalname is changhed accordingly. The second patch activates the plugin. Simo. Should ipaModRDNscope be set to the user container instead of $SUFFIX? rob Good question, I was tempted but then I thought the filter was enough. I am open to changing it if you feel strongly, though. Simo. Is this going to find users from the compat plugin? If not then it is ok as-is. Can you do a modrdn modification on a compat plugin entry ? Simo. Well, right, I don't know :-) And if not, what error would be raised and do/should we catch it? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed
On Mon, Oct 25, 2010 at 10:53:19AM -0400, Rob Crittenden wrote: Simo Sorce wrote: Can you do a modrdn modification on a compat plugin entry ? Well, right, I don't know :-) And if not, what error would be raised and do/should we catch it? You should get an insufficient-access (0.17 and earlier) or unwilling-to-perform (0.18 and later) error result. Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed
On Mon, 25 Oct 2010 11:42:09 -0400 Nalin Dahyabhai na...@redhat.com wrote: On Mon, Oct 25, 2010 at 10:53:19AM -0400, Rob Crittenden wrote: Simo Sorce wrote: Can you do a modrdn modification on a compat plugin entry ? Well, right, I don't know :-) And if not, what error would be raised and do/should we catch it? You should get an insufficient-access (0.17 and earlier) or unwilling-to-perform (0.18 and later) error result. And I guess this happens quite early. The ipa_modrdn plugin is invoked only as a post op, so if an error is thrown earlier I think it is not even invoked. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed
On Mon, Oct 25, 2010 at 11:45:45AM -0400, Simo Sorce wrote: On Mon, 25 Oct 2010 11:42:09 -0400 Nalin Dahyabhai na...@redhat.com wrote: On Mon, Oct 25, 2010 at 10:53:19AM -0400, Rob Crittenden wrote: Simo Sorce wrote: Can you do a modrdn modification on a compat plugin entry ? Well, right, I don't know :-) And if not, what error would be raised and do/should we catch it? You should get an insufficient-access (0.17 and earlier) or unwilling-to-perform (0.18 and later) error result. And I guess this happens quite early. The ipa_modrdn plugin is invoked only as a post op, so if an error is thrown earlier I think it is not even invoked. Right, the error's returned by a preop callback, so the postop callback in this plugin shouldn't be invoked. Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed
This plugin intercepts a modrdn change so that when a user is renamed the krbprincipalname is changhed accordingly. The second patch activates the plugin. Simo. -- Simo Sorce * Red Hat, Inc * New York From 8dbbc7a916202905375358670c5b7a6378f7e67d Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Tue, 19 Oct 2010 17:11:31 -0400 Subject: [PATCH 1/2] Add new plugin used to modify related attributes after a modrdn operation. --- daemons/configure.ac |1 + daemons/ipa-slapi-plugins/Makefile.am |1 + daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am | 42 + daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c | 991 .../ipa-slapi-plugins/ipa-modrdn/modrdn-conf.ldif | 15 + ipa.spec.in|2 + 6 files changed, 1052 insertions(+), 0 deletions(-) create mode 100644 daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am create mode 100644 daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c create mode 100644 daemons/ipa-slapi-plugins/ipa-modrdn/modrdn-conf.ldif diff --git a/daemons/configure.ac b/daemons/configure.ac index fe59da6..b7a2989 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -281,6 +281,7 @@ AC_CONFIG_FILES([ ipa-slapi-plugins/ipa-winsync/Makefile ipa-slapi-plugins/ipa-version/Makefile ipa-slapi-plugins/ipa-uuid/Makefile +ipa-slapi-plugins/ipa-modrdn/Makefile ]) AC_OUTPUT diff --git a/daemons/ipa-slapi-plugins/Makefile.am b/daemons/ipa-slapi-plugins/Makefile.am index ea82c39..1ae2351 100644 --- a/daemons/ipa-slapi-plugins/Makefile.am +++ b/daemons/ipa-slapi-plugins/Makefile.am @@ -2,6 +2,7 @@ NULL = SUBDIRS = \ ipa-enrollment \ + ipa-modrdn \ ipa-pwd-extop \ ipa-uuid \ ipa-version \ diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am new file mode 100644 index 000..5770624 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am @@ -0,0 +1,42 @@ +NULL = + +INCLUDES = \ + -I. \ + -I$(srcdir) \ + -I/usr/include/dirsrv \ + -DPREFIX=\$(prefix)\ \ + -DBINDIR=\$(bindir)\\ + -DLIBDIR=\$(libdir)\ \ + -DLIBEXECDIR=\$(libexecdir)\ \ + -DDATADIR=\$(datadir)\\ + $(MOZLDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NULL) + +plugindir = $(libdir)/dirsrv/plugins +plugin_LTLIBRARIES = \ + libipa_modrdn.la \ + $(NULL) + +libipa_modrdn_la_SOURCES = \ + ipa_modrdn.c \ + $(NULL) + +libipa_modrdn_la_LDFLAGS = -avoid-version + +libipa_modrdn_la_LIBADD = \ + $(MOZLDAP_LIBS) \ + $(NULL) + +appdir = $(IPA_DATA_DIR) +app_DATA = \ + modrdn-conf.ldif \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c new file mode 100644 index 000..6e48496 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c @@ -0,0 +1,991 @@ +/** BEGIN COPYRIGHT BLOCK + * This Program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; version 2 of the License. + * + * This Program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with + * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place, Suite 330, Boston, MA 02111-1307 USA. + * + * In addition, as a special exception, Red Hat, Inc. gives You the additional + * right to link the code of this Program with code not covered under the GNU + * General Public License (Non-GPL Code) and to distribute linked combinations + * including the two, subject to the limitations in this paragraph. Non-GPL Code + * permitted under this exception must only link to the code of this Program + * through those well defined interfaces identified in the file named EXCEPTION + * found in the source code files (the Approved Interfaces). The files of + * Non-GPL Code may instantiate templates or use macros or inline functions from + * the Approved Interfaces without causing the resulting work to be covered by + * the GNU General Public License. Only Red Hat, Inc. may make changes or + * additions to the list of Approved Interfaces. You must obey the GNU General + * Public License in all respects for all of the Program code and other code used + * in conjunction with the Program except the Non-GPL Code covered by this + * exception. If you modify this file, you may extend this exception to your + * version of the file, but you are not obligated to do so. If you do not wish to + * provide this exception without modification, you must
Re: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed
Simo Sorce wrote: This plugin intercepts a modrdn change so that when a user is renamed the krbprincipalname is changhed accordingly. The second patch activates the plugin. Simo. Should ipaModRDNscope be set to the user container instead of $SUFFIX? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel