[Freeipa-devel] [PATCH 0030] Add OTP sync support to ipa-pwd-extop
Simo Sorce
ssorce at redhat.com
Wed Jan 29 23:14:47 UTC 2014
----- Original Message -----
> This new version of the patch depends on patches 0026 and 0029. It has
> also been renamed.
>
> This should hopefully solve the problems that Simo raised about extended
> password validation, etc. In short, I've moved all of the token
> synchronization code into ipa-pwd-extop. The original code looked like
> this:
>
> 1. Validate OTP
> 2. Validate Password-only
> 3. <NOTHING>
> 4. Write out kerberos keys if necessary
> 5. Fall through to 389ds for full password validation
>
> The code, after this patch now looks like this:
>
> 1. Validate OTP
> 2. Validate Password-only
> 3. Synchronize token
> 4. Write out kerberos keys if necessary
> 5. Fall through to 389ds for full password validation
I assume step 4 is the special migration code step, right ?
It is not something new part of the OTP code.
> In both cases, if #2 fails we jump immediately to #5. If #3 fails the
> failure is reported to the user as INVALID_CREDENTIALS.
I wonder if we have a standard control to give more info, like we do for
the password change operation ...
> If
> synchronization succeeds, we still fall through to #4 and #5.
>
> The only oddity of this choice is that a user could be locked out/etc
> and new #3 would succeed. In this case, #5 would still fail however and
> the bind would be unsuccessful. Hence, the user would never know if the
> tokens were synchronized.
>
> The new bind control is very simple:
> OTPSyncRequest ::= SEQUENCE {
> firstCode INTEGER,
> secondCode INTEGER,
> tokenDN OCTET STRING OPTIONAL
> }
>
> The OID is 2.16.840.1.113730.3.6.9. This was given to me by Mark, but I
> don't know who controls this or if we can use it.
prefix.3.6.x is the miscellaneous OIDs, but this is FreeIPA work, and should
go in prefix.3.8.10.x
I am assigning you 2.16.840.1.113730.3.8.10.6, please change your patches to use this OID.
I will de-register the one Mark reserved for you in 3.6.x
> All of this is tested and working.
>
> Nathaniel
>
> On Thu, 2014-01-09 at 16:28 -0500, Nathaniel McCallum wrote:
> > This plugin adds an extended operation for synchronizing tokens. This
> > operation is availalbe both with and without bind. In the latter case,
> > the first factor is required. This operation can also be performed
> > on a per-token or per-user level. In the latter case, we will attempt
> > to find the token automatically.
> >
> > Thanks to Mark Reynolds for helping me with this patch.
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
--
Simo Sorce * Red Hat, Inc. * New York
More information about the Freeipa-devel
mailing list