[Freeipa-devel] [PATCH 0080] Expose the disabled User Auth Type
Nathaniel McCallum
npmccallum at redhat.com
Thu Dec 18 18:52:27 UTC 2014
On Thu, 2014-12-04 at 19:56 +0100, Petr Vobornik wrote:
> On 12/04/2014 07:25 PM, Nathaniel McCallum wrote:
> > On Wed, 2014-12-03 at 17:18 +0100, Petr Vobornik wrote:
> >> On 13.11.2014 18:04, Nathaniel McCallum wrote:
> >>> Additionally, fix a small bug in ipa-kdb so that the disabled User
> >>> Auth Type is properly handled.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/4720
> >>>
> >>
> >> The patch itself looks good to me, VERSION needs to be updated though.
> >>
> >> But I don't think it works. Don't know why. In my setup, user's config
> >> was not ignored.
> >>
> >> When I tested login in Web UI with:
> >>
> >> - global config: disabled, otp
> >> - user fbar's config: password
> >> - fbar had an hotp token assigned
> >>
> >> I could still login with password and not with otp. If I added 'otp' to
> >> fbar's config, I could also login with otp.
> >
> > How are you logging in? krb5 or LDAP bind?
> >
>
> Forms-based in Web UI. It uses kinit internally.
Alright, I was able to reproduce this problem via a bisect. I think you
hit a bug that was introduced in
953c6846b7cb8d75253538ab92a1360fceee0c3c and fixed by
9baa93da1cbf56c2a6f7e82e099bc3ff3f19e2e4. Those patches existed in my
local branch as one patchset, but was merged in two sections.
Unfortunately, though I had discovered and fixed the bug, the fix went
in the wrong patch in the series. So you just happened to hit the narrow
window where the bug existed in master (but not my local tree). On
current master, everything works.
I also tested on 4.1.2. A similar bug exists there on the old
ipa-pwd-extop code. So if we want to land this patch on 4.1.x, we will
need a fix for that code to avoid creating a security hole.
Attached is a rebased patch. It has no changes except the VERSION
update.
Nathaniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-npmccallum-0080.1-Expose-the-disabled-User-Auth-Type.patch
Type: text/x-patch
Size: 6762 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141218/dc4041ed/attachment.bin>
More information about the Freeipa-devel
mailing list