[Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining the domain

Wed Oct 5 22:41:19 UTC 2011

On 10/05/2011 05:36 PM, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
>> On Wed, 05 Oct 2011, Rob Crittenden wrote:
>>>> I ended up not using raiseonerr=False as all I needed is a way to
>>>> break out of the loop on success so that will come sequentially if
>>>> there is no exception.
>>>>
>>>> Patch attached.
>>>
>>> This works but there is a noticeable pause on my system when ntpdate
>>> is being run. I think it would be handy to output a message saying
>>> that the date is being updated.
>> I'll add the message.
>>
>>> Is it necessary to sync the date when a one-time password is being
>>> used? It doesn't hurt but it does pause a second or three.
>> If I understand correctly, our use of OTP term for hosts is different
>> from what current IETF draft on OTP preauth with kerberos assumes.
>>
>> At least, according to IETF draft on OTP preauth with kerberos,
>> http://tools.ietf.org/html/draft-ietf-krb-wg-otp-preauth-19#section-2.4
>> client has to submit next key if clocks have drifted which implies you
>> cannot re-use the same OTP next time. To me this looks like in OTP
>> case clocks synchronization is very important. In our OTP case it does
>> not matter except for an artificial delay...
>
> This is not Kerberos OTP, it does an LDAP simple bind.

It is more like a "nonce", it is not an OTP that can be generated based
on some hardware or software token.
The Kerberos OTP draft is about those OTPs we are not. We are literally
One Time Password.

>
>> I've added the message.
>
> Ok, I'll take a look.
>
> rob
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/