[Freeipa-devel] Final OTP Review
Nathaniel McCallum
npmccallum at redhat.com
Thu May 2 16:18:37 UTC 2013
Attached are the patches from the ongoing OTP review with rcrit. We
believe these to be ready to merge. Please review. The first two patches
just add the required schema. The third patch adds support for OTP to
kdb. The fourth adds ipa-otpd, the otp companion daemon. The fifth, adds
the 389DS bind plugin. The sixth patch is cosmetic (.gitignore).
Code for managing tokens (CLI or GUI) remains to be written, though I do
have a rudimentary script for adding tokens for testing.
KNOWN ISSUES
1. ipa-otpd runs as root. This trade-off exists to permit autobinding
for this PoC. Ideally, ipa-otpd would run as its own unprivileged user.
I'd like to address this for the N+1 release.
2. krb5 currently requires the top three patches here in order to
properly trigger the otp code path:
https://github.com/greghudson/krb5/commits/keycheck. These should
hopefully be merged upstream soon and will be backported to krb5 1.11 in
Fedora 19 shortly.
3. krb5 tickets can't be issued. This is due to an upstream ticket
issuance bug that was discovered on Monday. This occurs *after* the OTP
has already been validated. We are working on a fix for this.
Nathaniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-Ignore-log-files-from-automake-tests.patch
Type: text/x-patch
Size: 495 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130502/3edbdcaa/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-Add-ipa-otp-389DS-bind-plugin.patch
Type: text/x-patch
Size: 72550 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130502/3edbdcaa/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Add-the-krb5-FreeIPA-RADIUS-companion-daemon.patch
Type: text/x-patch
Size: 59994 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130502/3edbdcaa/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-ipa-kdb-Add-OTP-support.patch
Type: text/x-patch
Size: 6525 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130502/3edbdcaa/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-IPA-OTP-schema-and-ACLs.patch
Type: text/x-patch
Size: 22741 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130502/3edbdcaa/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-ipaUserAuthType-and-ipaUserAuthTypeClass.patch
Type: text/x-patch
Size: 4215 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130502/3edbdcaa/attachment-0005.bin>
More information about the Freeipa-devel
mailing list