[Freeipa-users] change min and max lifetime of random password
Dmitri Pal
dpal at redhat.com
Sun Mar 30 15:24:49 UTC 2014
On 03/29/2014 08:54 AM, Stijn De Weirdt wrote:
> hi all,
>
>> IMO we should not treat the OTP we set for the host enrollment as a
>> kerberos password.
>> I would rather record a time of the creation and validity period when
>> the password is set in two new attributes. The validity period should be
>> optional and if not provided copied from a system wide policy that can
>> be set by default to say 10 min. When we do authentication with OTP we
>> should check whether we are already beyond the point when the OTP is
>> valid and fail enrollment. When we validate and clear OTP we do not
>> need to change these two attributes, they contain valuable info that
>> might be queried later.
>>
> i like this idea. full host password policy is probably overkill for
> an OTP that only makes sense once in the lifetime of the host (OTP
> here means not only is the password itself only valid once; the whole
> password authentication is only valid/usable once).
>
> btw, is it easy (as in API exists) to add new (site specific)
> attributes for a host? if so, i can already toy around with it for
> now. (storing the creation time in it and some cron job might suffice
> for now)
>
> stijn
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Here is a starting point.
http://www.freeipa.org/page/Contribute/Code
You need to create
a) Design
- You can destil this thread into couple paragraphs
b) Schema
- try to reuse existing attributes if possible instead of inventing
new ones
- define a new AUXILIARY object class that would contain these attributes
- Load schema into the project, make it a part of the source code,
installation and update/upgrade
c) Plugin to manage
- Create a python mgmt framework plugin to set these attributes when
the OTP is created.
- See http://abbra.fedorapeople.org/guide.html on now to do it
- You probably want to make the field(s) visible in the UI but read
only to show how much time is left for enrollment, but this can be a
separate RFE done later.
d) Enrollment logic
- You need to fix the enrollment logic to validate these new
attributes during the enrollment. IMO it should be backward compatible
meaning that if host entry does not have these attributes the enrollment
does not expire (something to mention on the design page).
It sounds a lot but it is not once you get more experienced with the
system. It can you do at least parts of that, would be great.
Good luck!
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list