[Freeipa-devel] [PATCH 0030] Add OTP sync support to ipa-pwd-extop

Simo Sorce ssorce at redhat.com
Wed Jan 29 23:14:47 UTC 2014 

----- Original Message -----
> This new version of the patch depends on patches 0026 and 0029. It has
> also been renamed.
> 
> This should hopefully solve the problems that Simo raised about extended
> password validation, etc. In short, I've moved all of the token
> synchronization code into ipa-pwd-extop. The original code looked like
> this:
> 
> 1. Validate OTP
> 2. Validate Password-only
> 3. <NOTHING>
> 4. Write out kerberos keys if necessary
> 5. Fall through to 389ds for full password validation
> 
> The code, after this patch now looks like this:
> 
> 1. Validate OTP
> 2. Validate Password-only
> 3. Synchronize token
> 4. Write out kerberos keys if necessary
> 5. Fall through to 389ds for full password validation

I assume step 4 is the special migration code step, right ?
It is not something new part of the OTP code.
 
> In both cases, if #2 fails we jump immediately to #5. If #3 fails the
> failure is reported to the user as INVALID_CREDENTIALS.

I wonder if we have a standard control to give more info, like we do for
the password change operation ...

> If
> synchronization succeeds, we still fall through to #4 and #5.
> 
> The only oddity of this choice is that a user could be locked out/etc
> and new #3 would succeed. In this case, #5 would still fail however and
> the bind would be unsuccessful. Hence, the user would never know if the
> tokens were synchronized.
> 
> The new bind control is very simple:
>      OTPSyncRequest ::= SEQUENCE {
>          firstCode   INTEGER,
>          secondCode  INTEGER,
>          tokenDN     OCTET STRING OPTIONAL
>      }
> 
> The OID is 2.16.840.1.113730.3.6.9. This was given to me by Mark, but I
> don't know who controls this or if we can use it.

prefix.3.6.x is the miscellaneous OIDs, but this is FreeIPA work, and should
go in prefix.3.8.10.x

I am assigning you 2.16.840.1.113730.3.8.10.6, please change your patches to use this OID.
I will de-register the one Mark reserved for you in 3.6.x
 
> All of this is tested and working.
> 
> Nathaniel
> 
> On Thu, 2014-01-09 at 16:28 -0500, Nathaniel McCallum wrote:
> > This plugin adds an extended operation for synchronizing tokens. This
> > operation is availalbe both with and without bind. In the latter case,
> > the first factor is required. This operation can also be performed
> > on a per-token or per-user level. In the latter case, we will attempt
> > to find the token automatically.
> > 
> > Thanks to Mark Reynolds for helping me with this patch.
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
> 
> 

-- 
Simo Sorce * Red Hat, Inc. * New York

More information about the Freeipa-devel mailing list