[Freeipa-devel] [PATCH] krb 1.12's OTP-Over-RADIUS
Nathaniel McCallum
npmccallum at redhat.com
Fri Apr 12 15:53:40 UTC 2013
On Fri, 2013-04-12 at 11:34 -0400, Nathaniel McCallum wrote:
> On Thu, 2013-04-11 at 14:48 -0400, Rob Crittenden wrote:
> > Nathaniel McCallum wrote:
> > > On Wed, 2013-04-10 at 15:35 -0400, Rob Crittenden wrote:
> > >> I'm not sure how I'd test it if I got it built.
> > >
> > > I'm working on this. I hope to have a clear answer next week. Bear with
> > > me...
> > >
> > >> Overall looks really good.
> > >
> > > I've split up the patch into multiple commits. I've also added .update
> > > files and a patch for ipa-kdb to feed krb5 the right user string.
> > >
> > > https://github.com/npmccallum/freeipa/commits/otp
> > >
> > > Please take a look. I *think* I've got everything worked out so far with
> > > the exception of bug numbers / urls. Should every patch have a separate
> > > bug and a link to the design page?
> >
> > The ticket should go into every commit. I'd probably put the design link
> > there too, just for completeness. Future bug fixes, et all aren't going
> > to require the design page, but since these commits are all related to
> > the initial feature it will be nice to have.
> >
> > You can have multiple patches on the same ticket/bug.
>
> https://github.com/npmccallum/freeipa/commits/otp
>
> All four commits now have bug numbers and design page links. I'm adding
> the design page link to the tickets as we speak.
>
> Remaining issues (AFAICS):
> 1. The daemon (ipa-otpd) runs as root and binds anonymously
> 2. ipatokenRadiusSecret is readable by an anonymous bind
3. ipatokenT?OTP.* are readable by an anonymous bind
In the case of both #2 and #3, only admins should have RW. ipa-otpd
needs read access to ipatokenRadiusSecret. The DS bind plugin below (#2)
needs read access to ipatokenT?OTP.*.
> Outstanding pieces:
> 1. CLI tool -- https://fedorahosted.org/freeipa/ticket/3368
> 2. DS bind plugin -- https://fedorahosted.org/freeipa/ticket/3367
> 3. UI -- https://fedorahosted.org/freeipa/ticket/3369
> 4. Self Service UI -- https://fedorahosted.org/freeipa/ticket/3370
>
> #1 and #2 are within the scope of F19 and should hopefully land shortly
> (in separate commits). #3 and #4 are probably $nextrelease.
>
> Nathaniel
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list