[Freeipa-devel] OTP Sync Client Design
Petr Vobornik
pvoborni at redhat.com
Thu May 15 08:15:15 UTC 2014
On 15.5.2014 09:52, Simo Sorce wrote:
>
>
> ----- Original Message -----
>> Occasionally OTP tokens get out of sync with the server. When this
>> happens, the user or an admin need to synchronize the token. To this
>> end, we landed server-side synchronization support, which is a simple
>> bind with a custom control. This all works with my sample test script.
>>
>> Client support is proving a bit more difficult. In the ideal world, the
>> client would contact LDAP directly and perform the operation. This would
>> make a man in the middle attack difficult and we can ensure encryption
>> over the entire operation.
>>
>> However, browsers, without server-side assistance, cannot perform this
>> operation from javascript. This means that, in this case, the first
>> factor and two second factors must be transmitted to the FreeIPA server
>> and then proxied to 389. Is this an acceptable compromise?
>>
>> This command also needs to be accessible *without* an existing user
>> login since, if a user's token is out of sync, the user can't login. Is
>> it possible to expose such an API? If so, how? Both "ipa env" and "ipa
>> ping" seem to require kinit, so I don't see any obvious examples.
>
> Sounds to me this should be done via a separate page not from javascript,
> then you do not have to deal with the chicken-egg issue of framework
> authentication ... yeah custom code's not great but the problem here seems
> quite limited to re-synchronization only.
>
> Simo.
>
IMO it should be similar to ipaserver.rpcserver.login_password and
change_password methods.
Then it could be use from various UIs - main IPA Web UI, separate page,
some CLI app...
--
Petr Vobornik
More information about the Freeipa-devel
mailing list