[Freeipa-devel] [PATCH 0058] Fix login password expiration detection with OTP

[Petr Vobornik]

On 14.7.2014 21:01, Nathaniel McCallum wrote:
> The preexisting code would execute two steps. First, it would perform a
> kinit. If the kinit failed, it would attempt to bind using the same
> credentials to determine if the password were expired. While this method
> is fairly ugly, it mostly worked in the past.
>
> However, with OTP this breaks. This is because the OTP code is consumed
> by the kinit step. But because the password is expired, the kinit step
> fails. When the bind is executed, the OTP token is already consumed, so
> bind fails. This causes all password expirations to be reported as
> invalid credentials.
>
> After discussion with MIT, the best way to handle this case with the
> standard tools is to set LC_ALL=C and check the output from the command.
> This eliminates the bind step altogether. The end result is that OTP
> works and all password failures are more performant.
>
> https://fedorahosted.org/freeipa/ticket/4412
>
>

ACK

Pushed to:
master: e4771302812388cc7f9773ce48d0bc3b34855248
ipa-4-1: e4771302812388cc7f9773ce48d0bc3b34855248
ipa-4-0: e4771302812388cc7f9773ce48d0bc3b34855248

Initially, when testing, I got preauthentication error because I had old 
version of krb5: 1.11.5-4 instead of 1.11.5-5.

Should we add version dependency >= 1.11.5-5 to spec file?
-- 
Petr Vobornik