[Freeipa-devel] OTP Sync Client Design
Simo Sorce
simo at redhat.com
Thu May 15 07:52:12 UTC 2014
----- Original Message -----
> Occasionally OTP tokens get out of sync with the server. When this
> happens, the user or an admin need to synchronize the token. To this
> end, we landed server-side synchronization support, which is a simple
> bind with a custom control. This all works with my sample test script.
>
> Client support is proving a bit more difficult. In the ideal world, the
> client would contact LDAP directly and perform the operation. This would
> make a man in the middle attack difficult and we can ensure encryption
> over the entire operation.
>
> However, browsers, without server-side assistance, cannot perform this
> operation from javascript. This means that, in this case, the first
> factor and two second factors must be transmitted to the FreeIPA server
> and then proxied to 389. Is this an acceptable compromise?
>
> This command also needs to be accessible *without* an existing user
> login since, if a user's token is out of sync, the user can't login. Is
> it possible to expose such an API? If so, how? Both "ipa env" and "ipa
> ping" seem to require kinit, so I don't see any obvious examples.
Sounds to me this should be done via a separate page not from javascript,
then you do not have to deal with the chicken-egg issue of framework
authentication ... yeah custom code's not great but the problem here seems
quite limited to re-synchronization only.
Simo.
More information about the Freeipa-devel
mailing list