[Freeipa-devel] [WIP] OTP Token Import
Nathaniel McCallum
npmccallum at redhat.com
Tue May 13 13:20:54 UTC 2014
On Tue, 2014-05-13 at 15:13 +0200, Jan Cholasta wrote:
> Hi,
>
> On 13.5.2014 01:39, Nathaniel McCallum wrote:
> > The attached patch implements the OTP Token import script. However, it
> > doesn't work. Specifically, at the bottom of the file, when I call
> > otptoken-add, I get: Unknown option: digits
> >
> > If I prefix "ipatoken" to "digits", I get: Unknown option:
> > ipatokendigits
>
> The attribute is called "ipatokenotpdigits", according to the otptoken
> plugin.
Gah! I've been looking at this code too long.
> > If I remove "**options", I get: invalid 'ipatokenuniqueid':
> > Gettext('must be Unicode text', domain='ipa', localedir=None)
>
> I guess you are trying to use a str object for ipauniqueid. You must use
> a unicode object.
Do I need to convert all the strings from the XML parsing to unicode?
> > If I specify the id manually as u'foo', I get: no context.ldap2 in
> > thread 'MainThread'
>
> You need to connect to LDAP with ldap2.connect before running any commands.
Is there a canonical example of how to do this?
> > What do I need to do in order to setup and call the otptoken-add command
> > properly?
>
> Is ipa-otptoken-import intended to be run on IPA servers only? Because I
> don't see anything in the code that would mandate that.
No. However, this is part of a long conversation previously on this
list. The parsing and otptoken_add needs to happen on the client-side
because we will catch any failures and write out a client-side "tokens
not added" xml file. We also need to do this because this process may
take a long time (thousands of tokens) and the HTTP API doesn't have
infrastructure for long-running calls.
So the requirement here is that it runs on the client side with a direct
LDAP connection. The bind user should be the user running the script,
not directory manager.
Nathaniel
More information about the Freeipa-devel
mailing list