[Freeipa-devel] [PATCH 0074] Make token window sizes configurable
Martin Kosek
mkosek at redhat.com
Fri Nov 7 07:58:56 UTC 2014
On 11/04/2014 05:17 PM, Nathaniel McCallum wrote:
> On Wed, 2014-10-29 at 09:34 -0400, Nathaniel McCallum wrote:
>> On Wed, 2014-10-29 at 12:21 +0100, Petr Viktorin wrote:
>>> On 10/29/2014 10:37 AM, Martin Kosek wrote:
>>>> On 10/28/2014 09:59 PM, Nathaniel McCallum wrote:
>>>>> On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote:
>>>>>> This patch gives the administrator variables to control the size of
>>>>>> the authentication and synchronization windows for OTP tokens.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/4511
>>>>>>
>>>>>> NOTE: There is one known issue with this patch which I don't know how to
>>>>>> solve. This patch changes the schema in install/share/60ipaconfig.ldif.
>>>>>> On an upgrade, all of the new attributeTypes appear correctly. However,
>>>>>> the modifications to the pre-existing objectClass do not show up on the
>>>>>> server. What am I doing wrong?
>>>>>>
>>>>>> After modifying ipaGuiConfig manually, everything in this patch works
>>>>>> just fine.
>>>>>
>>>>> This new version takes into account the new (proper) OIDs and attribute
>>>>> names.
>>>>
>>>> Thanks Nathaniel!
>>>>
>>>>> The above known issue still remains.
>>>>
>>>> Petr3, any idea what could have gone wrong? ObjectClass MAY list extension
>>>> should work just fine, AFAIK.
>>>
>>> You added a blank line to the LDIF file. This is an entry separator, so
>>> the objectClasses after the blank line don't belong to cn=schema, so
>>> they aren't considered in the update.
>>> Without the blank line it works fine.
>>
>> Thanks for the catch!
>>
>> Here is a version without the blank line.
>
> I forgot to remove the old steps defines. This patch performs this
> cleanup.
I am now wondering, is the global config object really the nest place to add
these OTP specific settings?
I would prefer not to overload the object and instead:
- create new ipaOTPConfig objectclass
- add it to cn=otp,$SUFFIX
- create otpconfig-mod and otpconfig-show commands to follow an example of
dnsconfig-* and trustconfig-* commands
IMO, this would allow more flexibility for the OTP settings and would also
scale better for the future updates.
Martin
More information about the Freeipa-devel
mailing list