[Freeipa-devel] [WIP] OTP Token Import

Dmitri Pal dpal at redhat.com
Tue May 13 14:40:12 UTC 2014 

On 05/13/2014 09:33 AM, Jan Cholasta wrote:
> On 13.5.2014 15:20, Nathaniel McCallum wrote:
>> On Tue, 2014-05-13 at 15:13 +0200, Jan Cholasta wrote:
>>> Hi,
>>>
>>> On 13.5.2014 01:39, Nathaniel McCallum wrote:
>>>> The attached patch implements the OTP Token import script. However, it
>>>> doesn't work. Specifically, at the bottom of the file, when I call
>>>> otptoken-add, I get: Unknown option: digits
>>>>
>>>> If I prefix "ipatoken" to "digits", I get: Unknown option:
>>>> ipatokendigits
>>>
>>> The attribute is called "ipatokenotpdigits", according to the otptoken
>>> plugin.
>>
>> Gah! I've been looking at this code too long.
>>
>>>> If I remove "**options", I get: invalid 'ipatokenuniqueid':
>>>> Gettext('must be Unicode text', domain='ipa', localedir=None)
>>>
>>> I guess you are trying to use a str object for ipauniqueid. You must 
>>> use
>>> a unicode object.
>>
>> Do I need to convert all the strings from the XML parsing to unicode?
>
> You need to make sure that values of all Str params are all unicode.
>
>>
>>>> If I specify the id manually as u'foo', I get: no context.ldap2 in
>>>> thread 'MainThread'
>>>
>>> You need to connect to LDAP with ldap2.connect before running any 
>>> commands.
>>
>> Is there a canonical example of how to do this?
>
> See CACertManage.ldap_connect in my patch 251.2.
>
>>
>>>> What do I need to do in order to setup and call the otptoken-add 
>>>> command
>>>> properly?
>>>
>>> Is ipa-otptoken-import intended to be run on IPA servers only? 
>>> Because I
>>> don't see anything in the code that would mandate that.
>>
>> No. However, this is part of a long conversation previously on this
>> list. The parsing and otptoken_add needs to happen on the client-side
>> because we will catch any failures and write out a client-side "tokens
>> not added" xml file. We also need to do this because this process may
>> take a long time (thousands of tokens) and the HTTP API doesn't have
>> infrastructure for long-running calls.
>>
>> So the requirement here is that it runs on the client side with a direct
>> LDAP connection. The bind user should be the user running the script,
>> not directory manager.
>
> OK, thanks for clarification.

Do not forget to document this part.

>
>>
>> Nathaniel
>>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-devel mailing list