<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 11/12/2014 11:37 PM, Nathaniel McCallum wrote: </div> <blockquote cite="mid:1415831860.3363.4.camel@redhat.com" type="cite"> <pre wrap="">On Mon, 2014-11-10 at 08:28 +0100, Martin Kosek wrote: </pre> <blockquote type="cite"> <pre wrap="">On 11/07/2014 04:44 PM, Petr Vobornik wrote: </pre> <blockquote type="cite"> <pre wrap="">On 7.11.2014 08:58, Martin Kosek wrote: </pre> <blockquote type="cite"> <pre wrap="">On 11/04/2014 05:17 PM, Nathaniel McCallum wrote: </pre> <blockquote type="cite"> <pre wrap="">On Wed, 2014-10-29 at 09:34 -0400, Nathaniel McCallum wrote: </pre> <blockquote type="cite"> <pre wrap="">On Wed, 2014-10-29 at 12:21 +0100, Petr Viktorin wrote: </pre> <blockquote type="cite"> <pre wrap="">On 10/29/2014 10:37 AM, Martin Kosek wrote: </pre> <blockquote type="cite"> <pre wrap="">On 10/28/2014 09:59 PM, Nathaniel McCallum wrote: </pre> <blockquote type="cite"> <pre wrap="">On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote: </pre> <blockquote type="cite"> <pre wrap="">This patch gives the administrator variables to control the size of the authentication and synchronization windows for OTP tokens. <a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/4511">https://fedorahosted.org/freeipa/ticket/4511</a> NOTE: There is one known issue with this patch which I don't know how to solve. This patch changes the schema in install/share/60ipaconfig.ldif. On an upgrade, all of the new attributeTypes appear correctly. However, the modifications to the pre-existing objectClass do not show up on the server. What am I doing wrong? After modifying ipaGuiConfig manually, everything in this patch works just fine. </pre> </blockquote> <pre wrap=""> This new version takes into account the new (proper) OIDs and attribute names. </pre> </blockquote> <pre wrap=""> Thanks Nathaniel! </pre> <blockquote type="cite"> <pre wrap="">The above known issue still remains. </pre> </blockquote> <pre wrap=""> Petr3, any idea what could have gone wrong? ObjectClass MAY list extension should work just fine, AFAIK. </pre> </blockquote> <pre wrap=""> You added a blank line to the LDIF file. This is an entry separator, so the objectClasses after the blank line don't belong to cn=schema, so they aren't considered in the update. Without the blank line it works fine. </pre> </blockquote> <pre wrap=""> Thanks for the catch! Here is a version without the blank line. </pre> </blockquote> <pre wrap=""> I forgot to remove the old steps defines. This patch performs this cleanup. </pre> </blockquote> <pre wrap=""> I am now wondering, is the global config object really the nest place to add these OTP specific settings? I would prefer not to overload the object and instead: - create new ipaOTPConfig objectclass - add it to cn=otp,$SUFFIX - create otpconfig-mod and otpconfig-show commands to follow an example of dnsconfig-* and trustconfig-* commands IMO, this would allow more flexibility for the OTP settings and would also scale better for the future updates. </pre> </blockquote> <pre wrap=""> +1 I will comment the patch as if ^^ would not exist because it will still be needed in the new plugin. Because of ^^ I did not test, just read. 1. Got: install/ui/src/freeipa/serverconfig.js(135): lint warning: extra comma is not recommended in array initializers Please run: jsl -nofilelisting -nosummary -nologo -conf jsl.conf in install/ui directory The goal is no have no warnings and errors. 2. new attrs should be added to 'System: Read Global Configuration' managed permission </pre> </blockquote> <pre wrap=""> +1. Though if we go with OTP config, it should be called System: Read OTP Configuration Martin </pre> </blockquote> <pre wrap=""> Attached is a new set of patches that replaces this single patch. This now fixes multiple issues. I now create two new entries: * cn=TOTP,cn=Token Config,cn=etc,$SUFFIX * cn=HOTP,cn=Token Config,cn=etc,$SUFFIX There are two corresponding CLI commands: * totpconfig-(show|mod) * hotpconfig-(show|mod) There is no UI support for this yet (pointers welcome). This is designed so that eventually tokens can grow a per-token override, but I have not yet implemented this feature (it should be easy in the future). Additionally, I had to do some shared refactoring to address issues in ipa-otp-lasttoken, which is why all of these are now merged into a single patch set. Nathaniel </pre> <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Freeipa-devel mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre> </blockquote> Hello Nathaniel, Sorry for this long delay. The patch 0001 is fine for me. Ack I have a question regarding 0002. The function 'otp_config_update' is called in postop in order to 'update' the configuration in case of successful op. In 'update' it can updates 'config_record->value. In case the SLAPI_ENTRY_POST_OP sdn is not the the config_rec->sdn but the SLAPI_TARGET_SDN sdn is the config_rec->sdn , it resets 'config_record'->value to 'config_record->dflt'. Is that the expected effect ? thanks thierry </body> </html>