[Freeipa-devel] Final OTP Review
Nathaniel McCallum
npmccallum at redhat.com
Thu May 2 19:24:34 UTC 2013
On Thu, 2013-05-02 at 12:18 -0400, Nathaniel McCallum wrote:
> Attached are the patches from the ongoing OTP review with rcrit. We
> believe these to be ready to merge. Please review. The first two patches
> just add the required schema. The third patch adds support for OTP to
> kdb. The fourth adds ipa-otpd, the otp companion daemon. The fifth, adds
> the 389DS bind plugin. The sixth patch is cosmetic (.gitignore).
>
> Code for managing tokens (CLI or GUI) remains to be written, though I do
> have a rudimentary script for adding tokens for testing.
>
> KNOWN ISSUES
> 1. ipa-otpd runs as root. This trade-off exists to permit autobinding
> for this PoC. Ideally, ipa-otpd would run as its own unprivileged user.
> I'd like to address this for the N+1 release.
> 2. krb5 currently requires the top three patches here in order to
> properly trigger the otp code path:
> https://github.com/greghudson/krb5/commits/keycheck. These should
> hopefully be merged upstream soon and will be backported to krb5 1.11 in
> Fedora 19 shortly.
> 3. krb5 tickets can't be issued. This is due to an upstream ticket
> issuance bug that was discovered on Monday. This occurs *after* the OTP
> has already been validated. We are working on a fix for this.
rcrit noticed that I wasn't using pkgconfig in patch #5, which I fixed.
He also merged patch #6. Attached are the five remaining patches.
Nathaniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-Add-ipa-otp-389DS-bind-plugin.patch
Type: text/x-patch
Size: 74582 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130502/595f8c81/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Add-the-krb5-FreeIPA-RADIUS-companion-daemon.patch
Type: text/x-patch
Size: 59994 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130502/595f8c81/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-ipa-kdb-Add-OTP-support.patch
Type: text/x-patch
Size: 6525 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130502/595f8c81/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-IPA-OTP-schema-and-ACLs.patch
Type: text/x-patch
Size: 22741 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130502/595f8c81/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-ipaUserAuthType-and-ipaUserAuthTypeClass.patch
Type: text/x-patch
Size: 4215 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130502/595f8c81/attachment-0004.bin>
More information about the Freeipa-devel
mailing list