[Freeipa-devel] OTP Sync Client Design

Nathaniel McCallum npmccallum at redhat.com
Wed May 14 18:08:32 UTC 2014


Occasionally OTP tokens get out of sync with the server. When this
happens, the user or an admin need to synchronize the token. To this
end, we landed server-side synchronization support, which is a simple
bind with a custom control. This all works with my sample test script.

Client support is proving a bit more difficult. In the ideal world, the
client would contact LDAP directly and perform the operation. This would
make a man in the middle attack difficult and we can ensure encryption
over the entire operation.

However, browsers, without server-side assistance, cannot perform this
operation from javascript. This means that, in this case, the first
factor and two second factors must be transmitted to the FreeIPA server
and then proxied to 389. Is this an acceptable compromise?

This command also needs to be accessible *without* an existing user
login since, if a user's token is out of sync, the user can't login. Is
it possible to expose such an API? If so, how? Both "ipa env" and "ipa
ping" seem to require kinit, so I don't see any obvious examples.

Nathaniel




More information about the Freeipa-devel mailing list