[Freeipa-devel] [PATCH 0074] Make token window sizes configurable

Nathaniel McCallum npmccallum at redhat.com
Wed Nov 12 22:37:40 UTC 2014 

On Mon, 2014-11-10 at 08:28 +0100, Martin Kosek wrote:
> On 11/07/2014 04:44 PM, Petr Vobornik wrote:
> > On 7.11.2014 08:58, Martin Kosek wrote:
> >> On 11/04/2014 05:17 PM, Nathaniel McCallum wrote:
> >>> On Wed, 2014-10-29 at 09:34 -0400, Nathaniel McCallum wrote:
> >>>> On Wed, 2014-10-29 at 12:21 +0100, Petr Viktorin wrote:
> >>>>> On 10/29/2014 10:37 AM, Martin Kosek wrote:
> >>>>>> On 10/28/2014 09:59 PM, Nathaniel McCallum wrote:
> >>>>>>> On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote:
> >>>>>>>> This patch gives the administrator variables to control the size of
> >>>>>>>> the authentication and synchronization windows for OTP tokens.
> >>>>>>>>
> >>>>>>>> https://fedorahosted.org/freeipa/ticket/4511
> >>>>>>>>
> >>>>>>>> NOTE: There is one known issue with this patch which I don't know
> >>>>>>>> how to
> >>>>>>>> solve. This patch changes the schema in
> >>>>>>>> install/share/60ipaconfig.ldif.
> >>>>>>>> On an upgrade, all of the new attributeTypes appear correctly.
> >>>>>>>> However,
> >>>>>>>> the modifications to the pre-existing objectClass do not show up
> >>>>>>>> on the
> >>>>>>>> server. What am I doing wrong?
> >>>>>>>>
> >>>>>>>> After modifying ipaGuiConfig manually, everything in this patch
> >>>>>>>> works
> >>>>>>>> just fine.
> >>>>>>>
> >>>>>>> This new version takes into account the new (proper) OIDs and
> >>>>>>> attribute
> >>>>>>> names.
> >>>>>>
> >>>>>> Thanks Nathaniel!
> >>>>>>
> >>>>>>> The above known issue still remains.
> >>>>>>
> >>>>>> Petr3, any idea what could have gone wrong? ObjectClass MAY list
> >>>>>> extension
> >>>>>> should work just fine, AFAIK.
> >>>>>
> >>>>> You added a blank line to the LDIF file. This is an entry separator, so
> >>>>> the objectClasses after the blank line don't belong to cn=schema, so
> >>>>> they aren't considered in the update.
> >>>>> Without the blank line it works fine.
> >>>>
> >>>> Thanks for the catch!
> >>>>
> >>>> Here is a version without the blank line.
> >>>
> >>> I forgot to remove the old steps defines. This patch performs this
> >>> cleanup.
> >>
> >> I am now wondering, is the global config object really the nest place to
> >> add these OTP specific settings?
> >>
> >> I would prefer not to overload the object and instead:
> >> - create new ipaOTPConfig objectclass
> >> - add it to cn=otp,$SUFFIX
> >> - create otpconfig-mod and otpconfig-show commands to follow an example
> >> of dnsconfig-* and trustconfig-* commands
> >>
> >> IMO, this would allow more flexibility for the OTP settings and would
> >> also scale better for the future updates.
> > 
> > +1
> > 
> > I will comment the patch as if ^^ would not exist because it will still be
> > needed in the new plugin.
> > 
> > Because of ^^ I did not test, just read.
> > 
> > 1. Got:
> > install/ui/src/freeipa/serverconfig.js(135): lint warning: extra comma is not
> > recommended in array initializers
> > 
> > Please run:
> >   jsl -nofilelisting -nosummary -nologo -conf jsl.conf
> > in install/ui directory
> > 
> > The goal is no have no warnings and errors.
> > 
> > 2. new attrs should be added to 'System: Read Global Configuration' managed
> > permission
> 
> +1. Though if we go with OTP config, it should be called
> 
> System: Read OTP Configuration
> 
> Martin

Attached is a new set of patches that replaces this single patch. This
now fixes multiple issues.

I now create two new entries:
 * cn=TOTP,cn=Token Config,cn=etc,$SUFFIX
 * cn=HOTP,cn=Token Config,cn=etc,$SUFFIX

There are two corresponding CLI commands:
 * totpconfig-(show|mod)
 * hotpconfig-(show|mod)

There is no UI support for this yet (pointers welcome).

This is designed so that eventually tokens can grow a per-token
override, but I have not yet implemented this feature (it should be easy
in the future).

Additionally, I had to do some shared refactoring to address issues in
ipa-otp-lasttoken, which is why all of these are now merged into a
single patch set.

Nathaniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Make-token-auth-and-sync-windows-configurable.patch
Type: text/x-patch
Size: 39877 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141112/7fceb113/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Enable-last-token-deletion-when-password-auth-type-i.patch
Type: text/x-patch
Size: 10624 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141112/7fceb113/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Move-authentication-configuration-cache-into-libotp.patch
Type: text/x-patch
Size: 38558 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141112/7fceb113/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Preliminary-refactoring-of-libotp-files.patch
Type: text/x-patch
Size: 24468 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141112/7fceb113/attachment-0003.bin>

More information about the Freeipa-devel mailing list