[Freeipa-devel] [PATCH 0030] Add OTP sync support to ipa-pwd-extop
Nathaniel McCallum
npmccallum at redhat.com
Wed Jan 29 23:06:39 UTC 2014
This new version of the patch depends on patches 0026 and 0029. It has
also been renamed.
This should hopefully solve the problems that Simo raised about extended
password validation, etc. In short, I've moved all of the token
synchronization code into ipa-pwd-extop. The original code looked like
this:
1. Validate OTP
2. Validate Password-only
3. <NOTHING>
4. Write out kerberos keys if necessary
5. Fall through to 389ds for full password validation
The code, after this patch now looks like this:
1. Validate OTP
2. Validate Password-only
3. Synchronize token
4. Write out kerberos keys if necessary
5. Fall through to 389ds for full password validation
In both cases, if #2 fails we jump immediately to #5. If #3 fails the
failure is reported to the user as INVALID_CREDENTIALS. If
synchronization succeeds, we still fall through to #4 and #5.
The only oddity of this choice is that a user could be locked out/etc
and new #3 would succeed. In this case, #5 would still fail however and
the bind would be unsuccessful. Hence, the user would never know if the
tokens were synchronized.
The new bind control is very simple:
OTPSyncRequest ::= SEQUENCE {
firstCode INTEGER,
secondCode INTEGER,
tokenDN OCTET STRING OPTIONAL
}
The OID is 2.16.840.1.113730.3.6.9. This was given to me by Mark, but I
don't know who controls this or if we can use it.
All of this is tested and working.
Nathaniel
On Thu, 2014-01-09 at 16:28 -0500, Nathaniel McCallum wrote:
> This plugin adds an extended operation for synchronizing tokens. This
> operation is availalbe both with and without bind. In the latter case,
> the first factor is required. This operation can also be performed
> on a per-token or per-user level. In the latter case, we will attempt
> to find the token automatically.
>
> Thanks to Mark Reynolds for helping me with this patch.
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-npmccallum-0030-2-Add-OTP-sync-support-to-ipa-pwd-extop.patch
Type: text/x-patch
Size: 56547 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140129/d08bc7d5/attachment.bin>
More information about the Freeipa-devel
mailing list