<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/12/2014 11:37 PM, Nathaniel
McCallum wrote:<br>
</div>
<blockquote cite="mid:1415831860.3363.4.camel@redhat.com"
type="cite">
<pre wrap="">On Mon, 2014-11-10 at 08:28 +0100, Martin Kosek wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 11/07/2014 04:44 PM, Petr Vobornik wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 7.11.2014 08:58, Martin Kosek wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 11/04/2014 05:17 PM, Nathaniel McCallum wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Wed, 2014-10-29 at 09:34 -0400, Nathaniel McCallum wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Wed, 2014-10-29 at 12:21 +0100, Petr Viktorin wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 10/29/2014 10:37 AM, Martin Kosek wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 10/28/2014 09:59 PM, Nathaniel McCallum wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote:
</pre>
<blockquote type="cite">
<pre wrap="">This patch gives the administrator variables to control the size of
the authentication and synchronization windows for OTP tokens.
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/4511">https://fedorahosted.org/freeipa/ticket/4511</a>
NOTE: There is one known issue with this patch which I don't know
how to
solve. This patch changes the schema in
install/share/60ipaconfig.ldif.
On an upgrade, all of the new attributeTypes appear correctly.
However,
the modifications to the pre-existing objectClass do not show up
on the
server. What am I doing wrong?
After modifying ipaGuiConfig manually, everything in this patch
works
just fine.
</pre>
</blockquote>
<pre wrap="">
This new version takes into account the new (proper) OIDs and
attribute
names.
</pre>
</blockquote>
<pre wrap="">
Thanks Nathaniel!
</pre>
<blockquote type="cite">
<pre wrap="">The above known issue still remains.
</pre>
</blockquote>
<pre wrap="">
Petr3, any idea what could have gone wrong? ObjectClass MAY list
extension
should work just fine, AFAIK.
</pre>
</blockquote>
<pre wrap="">
You added a blank line to the LDIF file. This is an entry separator, so
the objectClasses after the blank line don't belong to cn=schema, so
they aren't considered in the update.
Without the blank line it works fine.
</pre>
</blockquote>
<pre wrap="">
Thanks for the catch!
Here is a version without the blank line.
</pre>
</blockquote>
<pre wrap="">
I forgot to remove the old steps defines. This patch performs this
cleanup.
</pre>
</blockquote>
<pre wrap="">
I am now wondering, is the global config object really the nest place to
add these OTP specific settings?
I would prefer not to overload the object and instead:
- create new ipaOTPConfig objectclass
- add it to cn=otp,$SUFFIX
- create otpconfig-mod and otpconfig-show commands to follow an example
of dnsconfig-* and trustconfig-* commands
IMO, this would allow more flexibility for the OTP settings and would
also scale better for the future updates.
</pre>
</blockquote>
<pre wrap="">
+1
I will comment the patch as if ^^ would not exist because it will still be
needed in the new plugin.
Because of ^^ I did not test, just read.
1. Got:
install/ui/src/freeipa/serverconfig.js(135): lint warning: extra comma is not
recommended in array initializers
Please run:
jsl -nofilelisting -nosummary -nologo -conf jsl.conf
in install/ui directory
The goal is no have no warnings and errors.
2. new attrs should be added to 'System: Read Global Configuration' managed
permission
</pre>
</blockquote>
<pre wrap="">
+1. Though if we go with OTP config, it should be called
System: Read OTP Configuration
Martin
</pre>
</blockquote>
<pre wrap="">
Attached is a new set of patches that replaces this single patch. This
now fixes multiple issues.
I now create two new entries:
* cn=TOTP,cn=Token Config,cn=etc,$SUFFIX
* cn=HOTP,cn=Token Config,cn=etc,$SUFFIX
There are two corresponding CLI commands:
* totpconfig-(show|mod)
* hotpconfig-(show|mod)
There is no UI support for this yet (pointers welcome).
This is designed so that eventually tokens can grow a per-token
override, but I have not yet implemented this feature (it should be easy
in the future).
Additionally, I had to do some shared refactoring to address issues in
ipa-otp-lasttoken, which is why all of these are now merged into a
single patch set.
Nathaniel
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
<font face="Times New Roman, Times, serif">Hello Nathaniel,<br>
<br>
Sorry for this long delay.<br>
The patch 0001 is fine for me. Ack<br>
<br>
I have a question regarding 0002.<br>
The function 'otp_config_update' is called in postop in order to
'update' the configuration in case of successful op.<br>
In 'update' it can updates 'config_record->value.<br>
In case the SLAPI_ENTRY_POST_OP sdn is not the the
config_rec->sdn but the SLAPI_TARGET_SDN sdn is the
config_rec->sdn , it resets 'config_record'->value to
'config_record->dflt'. Is that the expected effect ?<br>
<br>
thanks<br>
thierry<br>
<br>
<br>
</font>
</body>
</html>