[Freeipa-devel] DN patch and documentation

2012-07-07 Thread John Dennis 
The DN work I was doing on master is ready for review and testing. It's 
been a long haul and I've been working relentlessly to get this work 
completed. I am on PTO for a week starting today (I know bad timing) but 
I spent yesterday and my first day of PTO today writing up extensive 
documentation for the work so others can start taking a look at it while 
I'm gone. The documentation as well as where to find the code can be 
found here:


http://jdennis.fedorapeople.org/dn_summary.html

The document is long but I felt it was better to provide explanations 
for as much as possible.


I may check in during the week but I'm going to try and discipline 
myself not to and take an actual much needed break.


John

--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] DN patch and documentation

2012-07-07 Thread Simo Sorce 
On Sat, 2012-07-07 at 14:45 -0400, John Dennis wrote:
 The DN work I was doing on master is ready for review and testing. It's 
 been a long haul and I've been working relentlessly to get this work 
 completed. I am on PTO for a week starting today (I know bad timing) but 
 I spent yesterday and my first day of PTO today writing up extensive 
 documentation for the work so others can start taking a look at it while 
 I'm gone. The documentation as well as where to find the code can be 
 found here:
 
 http://jdennis.fedorapeople.org/dn_summary.html
 
 The document is long but I felt it was better to provide explanations 
 for as much as possible.
 
 I may check in during the week but I'm going to try and discipline 
 myself not to and take an actual much needed break.

John,
I've read the doc. and everything in there sounds agreeable to me,
including delaying mutable vs immutable conversions.

However it would be *really* useful if you split the code in a set of
patches instead of a humongous patch.

At the very least I would like to see it split into a patch that
addresses the creation of the IPASimpleLDAPObject (btw why not just
ipaLDAPObject which would be shorter ?), one patch that changes the core
stuff DN wise, one patch for the tests, one patch for all the actual
binaries.

Please do not do this on your time off, I am sure it can be handled once
you are back :-)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Fix bogus check

2012-07-07 Thread Simo Sorce 
I pushed the attached patch to master under the one-line rule.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From 5f68877558b009ac810bdf3f7ff494993eb7cb88 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Fri, 6 Jul 2012 16:11:32 -0400
Subject: [PATCH 1/4] Fix wrong check after allocation.

---
 daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
index 5720d3e6e0a7e6b1520e51a5ee319bcc47354fc9..9c1623a3b28932fba48c878dc6084862a2ba7831 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
@@ -446,7 +446,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
 
 if (is_ipant) {
 *ntvals = (Slapi_Value **)calloc(2, sizeof(Slapi_Value *));
-if (!svals) {
+if (!*ntvals) {
 LOG_OOM();
 rc = LDAP_OPERATIONS_ERROR;
 goto done;
-- 
1.7.10.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCHES][RFC] Implement special operation to revoer NT hash for a user

2012-07-07 Thread Simo Sorce 
When installing the adtrust code we need to be able to get the ipaNTHash
populated as in some cases we may need it to authenticate connections
over SMB w/o using kerberos during the trust setup phase.

The NT hash is really just the same thing as the rc4-hmac key we already
have by default in the Kerberos Keys.

This patch-set implements a check in the password plugin for the pre-mod
operation to catch the attempt to replace the attribute with the value
'MagicRegen' in the ipaNThash attribute.

If no previous ipaNTHash value is present, and the kerberos keys are
available, then we attempt to find the rc4-hmac key and if we find it we
store it in the ipaNTHash.

This will allow us to give the admin user (and potentially any other
user) the NT hash samba requires without forcing them to reset their
password, assuming the rc4-hmac key is present (currently it is by
default).

I marked this patch-set as RFC as I want opinions on the method (LDAP
modify with replace operation) I utilized to perform the extraction.

If it bode well with everybody we can consider the patch-set for
inclusion.

I tested it and extracting the hash works fine and it works later on
using smbclient to access a share.

This patchset implements task  #2867:
https://fedorahosted.org/freeipa/ticket/2867

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From c3d1c24413698e6d371b1de17b6efde9e1b7acb0 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Fri, 6 Jul 2012 11:15:15 -0400
Subject: [PATCH 1/7] Move code into common krb5 utils

This moves the decoding function that reads the keys from the ber format
into a structure in the common krb5 util code right below the function
that encodes the same data structure into a ber format.
This way the 2 functions are in the same place and can be both used by
all ia components.
---
 daemons/ipa-kdb/ipa_kdb_principals.c |  148 ++---
 util/ipa_krb5.c  |  150 ++
 util/ipa_krb5.h  |2 +
 3 files changed, 159 insertions(+), 141 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index d87d6fe9f82b479db6ab8e6b59a8b5ee580b9a27..6f8b296fa4cb19cbfe5c37536316d6f0e7f83b9c 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -205,152 +205,18 @@ static int ipadb_ldap_attr_to_key_data(LDAP *lcontext, LDAPMessage *le,
krb5_kvno *res_mkvno)
 {
 struct berval **vals;
-krb5_key_data *keys = NULL;
-BerElement *be = NULL;
-void *tmp;
-int i = 0;
-int ret = ENOENT;
+int mkvno;
+int ret;
 
 vals = ldap_get_values_len(lcontext, le, attrname);
-if (vals) {
-ber_tag_t tag;
-ber_int_t major_vno;
-ber_int_t minor_vno;
-ber_int_t kvno;
-ber_int_t mkvno;
-ber_int_t type;
-ber_tag_t seqtag;
-ber_len_t seqlen;
-ber_len_t setlen;
-ber_tag_t retag;
-ber_tag_t opttag;
-struct berval tval;
-
-be = ber_alloc_t(LBER_USE_DER);
-if (!be) {
-return ENOMEM;
-}
-
-/* reinit the ber element with the new val */
-ber_init2(be, vals[0], LBER_USE_DER);
-
-/* fill key_data struct with the data */
-retag = ber_scanf(be, {t[i]t[i]t[i]t[i]t[{,
-  tag, major_vno,
-  tag, minor_vno,
-  tag, kvno,
-  tag, mkvno,
-  seqtag);
-if (retag == LBER_ERROR ||
-major_vno != 1 ||
-minor_vno != 1 ||
-seqtag != (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 4)) {
-ret = EINVAL;
-goto done;
-}
-
-retag = ber_skip_tag(be, seqlen);
-
-/* sequence of keys */
-for (i = 0; retag == LBER_SEQUENCE; i++) {
-
-tmp = realloc(keys, (i + 1) * sizeof(krb5_key_data));
-if (!tmp) {
-ret = ENOMEM;
-goto done;
-}
-keys = tmp;
-
-memset(keys[i], 0, sizeof(krb5_key_data));
-
-keys[i].key_data_kvno = kvno;
-
-/* do we have a salt type ? (optional) */
-retag = ber_scanf(be, t, opttag);
-if (retag == LBER_ERROR) {
-ret = EINVAL;
-goto done;
-}
-if (opttag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0)) {
-keys[i].key_data_ver = 2;
-
-retag = ber_scanf(be, [l{tl[i],
-  seqlen, tag, setlen, type);
-if (tag != (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0)) {
-ret = EINVAL;
-goto done;
-}
-keys[i].key_data_type[1] = type;
-
-/* do we have salt data ? (optional) */
-