[Freeipa-devel] [WIP] OTP Token Import

Jan Cholasta jcholast at redhat.com
Tue May 13 13:33:10 UTC 2014 

On 13.5.2014 15:20, Nathaniel McCallum wrote:
> On Tue, 2014-05-13 at 15:13 +0200, Jan Cholasta wrote:
>> Hi,
>>
>> On 13.5.2014 01:39, Nathaniel McCallum wrote:
>>> The attached patch implements the OTP Token import script. However, it
>>> doesn't work. Specifically, at the bottom of the file, when I call
>>> otptoken-add, I get: Unknown option: digits
>>>
>>> If I prefix "ipatoken" to "digits", I get: Unknown option:
>>> ipatokendigits
>>
>> The attribute is called "ipatokenotpdigits", according to the otptoken
>> plugin.
>
> Gah! I've been looking at this code too long.
>
>>> If I remove "**options", I get: invalid 'ipatokenuniqueid':
>>> Gettext('must be Unicode text', domain='ipa', localedir=None)
>>
>> I guess you are trying to use a str object for ipauniqueid. You must use
>> a unicode object.
>
> Do I need to convert all the strings from the XML parsing to unicode?

You need to make sure that values of all Str params are all unicode.

>
>>> If I specify the id manually as u'foo', I get: no context.ldap2 in
>>> thread 'MainThread'
>>
>> You need to connect to LDAP with ldap2.connect before running any commands.
>
> Is there a canonical example of how to do this?

See CACertManage.ldap_connect in my patch 251.2.

>
>>> What do I need to do in order to setup and call the otptoken-add command
>>> properly?
>>
>> Is ipa-otptoken-import intended to be run on IPA servers only? Because I
>> don't see anything in the code that would mandate that.
>
> No. However, this is part of a long conversation previously on this
> list. The parsing and otptoken_add needs to happen on the client-side
> because we will catch any failures and write out a client-side "tokens
> not added" xml file. We also need to do this because this process may
> take a long time (thousands of tokens) and the HTTP API doesn't have
> infrastructure for long-running calls.
>
> So the requirement here is that it runs on the client side with a direct
> LDAP connection. The bind user should be the user running the script,
> not directory manager.

OK, thanks for clarification.

>
> Nathaniel
>

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list