[Freeipa-devel] FreeIPA OTP End-to-End

Fri Jan 10 23:20:59 UTC 2014

On Thu, 09 Jan 2014, Nathaniel McCallum wrote:
>New RPMs are up: http://npmccallum.fedorapeople.org/freeipa-otp/rpms/
Just as a note -- we can use copr service to provide a better experience
for testing. I made a copr repo with previous patchset last year:
http://copr.fedoraproject.org/coprs/abbra/freeipa-otp-unstable/
Any Fedora contributor can make own copr repositories.

>WHAT'S NEW IN THE RPMS?
>* 389ds OTP Last Token Plugin
>* 389ds OTP Sync Plugin
>* HOTP token support
>* OTP UI is now working
>
>All of the non-UI code is currently on the list. Petr is working on UI
>cleanup. You can see all the patches here:
>https://github.com/npmccallum/freeipa/tree/otp
>https://github.com/npmccallum/freeipa/tree/otpui
>
>KNOWN ISSUES
>Setting User Auth Type globally doesn't work:
>https://fedorahosted.org/freeipa/ticket/4105
>
>SELinux is broken on F20 (should be fixed in rawhide):
>https://bugzilla.redhat.com/show_bug.cgi?id=970163
There seem to be two parts, one is covered by this bug and another one
is related to SSSD/logind communication:

allow sssd_t systemd_logind_var_run_t:dir search;
allow sssd_t systemd_logind_var_run_t:file { read getattr open };

>User's can't add their own tokens. A patch to fix this is in the RPMs,
>but currently has a bug. A workaround exists. Details are here:
>https://www.redhat.com/archives/freeipa-devel/2014-January/msg00068.html
>
>Alexander Bokovoy (I think) found some issues when interacting with
>pkinit. I don't know the state of this.
It is unclear what exactly happens but from Jakub Hrozek's testing we
saw that on client side (preauth2.c) in tryagain() code 'pkinit' module
gets control despite 'otp' module returns success and modified pa_data.
'pkinit' cannot process pa_data afterwards and therefore returns error
which is interpreted by the libkrb5 as a failure of preauth processing.

>Alexander Bokovoy found a bug with SSSD that has (a few minutes ago)
>been patched. Details are here:
>https://lists.fedorahosted.org/pipermail/sssd-devel/2014-January/017934.html
>
>STILL NEEDED
>* UI patches polished and sent to the list.
>* OTP Sync Client (both CLI and UI).
I'll get through the otp patch reviews next week.


>
>Nathaniel
>
>On Fri, 2013-12-13 at 15:57 -0500, Nathaniel McCallum wrote:
>> This is an email to track the status of the OTP project as we push
>> toward completion. I'm also attempting to get all the pieces in play so
>> that they are testable.
>>
>> RPMs
>> Available here: http://npmccallum.fedorapeople.org/freeipa-otp/rpms/
>> These currently contain the CLI and UI patches, but exclude the DS
>> plugin patch. I will merge this last patch in when submitted to the
>> list.
>>
>> OTP CLI
>> All of the patches are merged except npmccallum-0024, which is
>> undergoing active review.
>> https://www.redhat.com/archives/freeipa-devel/2013-December/msg00102.html
>>
>> OTP UI
>> Thanks to Petr Vobornik for his set of patches implementing the UI. They
>> can be found rebased on top of my otp changes here:
>> https://github.com/npmccallum/freeipa/commits/otpui
>>
>> Authentication methods and RADIUS proxy support seems to be fully
>> functional and I have not encountered any bugs. I'm not currently able
>> to get the OTP UI to show up at all (I may well be doing something
>> wrong).
>>
>> I believe Petr plans to clean these up and resubmit them to the list.
>>
>> One additional patch will be required for the token sync extop.
>>
>> DS PLUGIN
>> I am nearing completion on the DS plugin providing support for deletion
>> protection and the token sync extop. This should hit the list next week.
>>
>> OTHER
>> Am I missing anything?
>>
>> Nathaniel
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
>_______________________________________________
>Freeipa-devel mailing list
>Freeipa-devel at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-devel

-- 
/ Alexander Bokovoy