[Freeipa-devel] [PATCH 0058] Fix login password expiration detection with OTP
Nathaniel McCallum
npmccallum at redhat.com
Mon Jul 21 14:50:25 UTC 2014
On Mon, 2014-07-21 at 16:39 +0200, Petr Vobornik wrote:
> On 14.7.2014 21:01, Nathaniel McCallum wrote:
> > The preexisting code would execute two steps. First, it would perform a
> > kinit. If the kinit failed, it would attempt to bind using the same
> > credentials to determine if the password were expired. While this method
> > is fairly ugly, it mostly worked in the past.
> >
> > However, with OTP this breaks. This is because the OTP code is consumed
> > by the kinit step. But because the password is expired, the kinit step
> > fails. When the bind is executed, the OTP token is already consumed, so
> > bind fails. This causes all password expirations to be reported as
> > invalid credentials.
> >
> > After discussion with MIT, the best way to handle this case with the
> > standard tools is to set LC_ALL=C and check the output from the command.
> > This eliminates the bind step altogether. The end result is that OTP
> > works and all password failures are more performant.
> >
> > https://fedorahosted.org/freeipa/ticket/4412
> >
> >
>
> ACK
>
> Pushed to:
> master: e4771302812388cc7f9773ce48d0bc3b34855248
> ipa-4-1: e4771302812388cc7f9773ce48d0bc3b34855248
> ipa-4-0: e4771302812388cc7f9773ce48d0bc3b34855248
>
> Initially, when testing, I got preauthentication error because I had old
> version of krb5: 1.11.5-4 instead of 1.11.5-5.
>
> Should we add version dependency >= 1.11.5-5 to spec file?
I would guess: yes.
More information about the Freeipa-devel
mailing list