[Freeipa-users] change min and max lifetime of random password

Dmitri Pal dpal at redhat.com
Sun Mar 30 15:24:49 UTC 2014 

On 03/29/2014 08:54 AM, Stijn De Weirdt wrote:
> hi all,
>
>> IMO we should not treat the OTP we set for the host enrollment as a
>> kerberos password.
>> I would rather record a time of the creation and validity period when
>> the password is set in two new attributes. The validity period should be
>> optional and if not provided copied from a system wide policy that can
>> be set by default to say 10 min. When we do authentication with OTP we
>> should check whether we are already beyond the point when the OTP is
>> valid and fail enrollment.  When we validate and clear OTP we do not
>> need to change these two attributes, they contain valuable info that
>> might be queried later.
>>
> i like this idea. full host password policy is probably overkill for 
> an OTP that only makes sense once in the lifetime of the host (OTP 
> here means not only is the password itself only valid once; the whole 
> password authentication is only valid/usable once).
>
> btw, is it easy (as in API exists) to add new (site specific) 
> attributes for a host? if so, i can already toy around with it for 
> now. (storing the creation time in it and some cron job might suffice 
> for now)
>
> stijn
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


Here is a starting point.
http://www.freeipa.org/page/Contribute/Code

You need to create
a) Design
- You can destil this thread into couple paragraphs
b) Schema
   - try to reuse existing attributes if possible instead of inventing 
new ones
   - define a new AUXILIARY object class that would contain these attributes
   - Load schema into the project, make it a part of the source code, 
installation and update/upgrade
c) Plugin to manage
   - Create a python mgmt framework plugin to set these attributes when 
the OTP is created.
   - See http://abbra.fedorapeople.org/guide.html on now to do it
   - You probably want to make the field(s) visible in the UI but read 
only to show how much time is left for enrollment, but this can be a 
separate RFE done later.
d) Enrollment logic
   - You need to fix the enrollment logic to validate these new 
attributes during the enrollment. IMO it should be backward compatible 
meaning that if host entry does not have these attributes the enrollment 
does not expire (something to mention on the design page).

It sounds a lot but it is not once you get more experienced with the 
system. It can you do at least parts of that, would be great.
Good luck!

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list