[Freeipa-devel] OTP Sync Client

Nathaniel McCallum npmccallum at redhat.com
Thu Feb 20 21:59:48 UTC 2014 

On Wed, 2014-01-22 at 15:59 -0500, Nathaniel McCallum wrote:
> In attempting to write an OTP synchronization client, I've noticed it
> doesn't fit into the framework very well. The job of the client is to
> perform the synchronization extended operation. The format of the
> request is this:
> 
>      OTPSyncRequestValue ::= SEQUENCE {
>          userDN            OCTET STRING,
>          tokenDN      [0]  OCTET STRING OPTIONAL,
>          firstFactor  [1]  OCTET STRING OPTIONAL,
>          firstCode         INTEGER,
>          secondCode        INTEGER
>      }
> 
> In all cases, the user MUST provide two token codes and MAY provide the
> DN of a token to sync.
> 
> >From here two cases exist: bound and unbound.
> 
> In the unbound case, both the userDN and firstFactor fields are required
> and authentication is performed internally.
> 
> In the bound case, the client has already bound (usually via a kerberos
> ticket). In this case, the client must provide userDN only. There are
> two options here. First, the client can generate the userDN
> automatically from the kerberos ticket metadata. Second, the extop
> plugin can make the userDN field optional and simply rely on the
> internal bind DN. This is my preferred route, and will require a new
> revision of the otp sync patch (no problem). In this second case, if the
> user is bound, the DS plugin would ignore the values of
> userDN/firstFactor.
> 
> Assuming the second case to be true, how do I write a command in the
> framework that will attempt a krb5 bind and then prompt for
> username/password if the bind fails? Also, how do I, on the client side,
> without any bind to LDAP translate the username to the userDN? The same
> is true for the token ID to DN translation? Would it be better to write
> this code independently of the FreeIPA client command framework?

Attached is a first attempt at implementing a sync client. It works, but
isn't ready for merger. Please help me suggest ways to overcome the
various problems:

1. This requires a krb5 TGT in order to perform the command. I am
assuming that everything in execute() is happening on the server-side
and the server wants authentication. Obviously, we can't require a TGT
to sync the token.

2. If a TGT *is* present, it would be really nice to bypass the
username/password options entirely and do a SASL bind (from the client?
Is 389DS guaranteed to be available to the client?

3. There has to be a better way to get the LDAP URI than what I'm doing.

4. I have concerns about passing the password over the wire. We are
doing this two places:
  A. client => freeipa
  B. freeipa => 389DS

Thoughts?

5. What should I do about the return value of the command?

Nathaniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-First-stab-at-sync-client.patch
Type: text/x-patch
Size: 5294 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140220/02eae21b/attachment.bin>

More information about the Freeipa-devel mailing list