[Freeipa-users] otp issue: can't log in with password+otp
Jan Pazdziora
jpazdziora at redhat.com
Fri Sep 25 07:22:19 UTC 2015
On Fri, Sep 25, 2015 at 10:09:55AM +0300, Alexander Bokovoy wrote:
> >
> >Well, we have separate daemon listening on the
> >/var/run/krb5kdc/DEFAULT.socket in the container which should start
> >the ipa-otpd at .service when there's a connection made to it. But
> >somehow it does not seem to be happening even if I fix the parsing of
> >/etc/ipa/default.conf that ipa-otpd at .service is doing.
> As I wrote earlier, ipa-otpd relies on socket activation feature of
> systemd -- systemd opens this socket and listens for incoming
> connections. Any incoming connection causes to start ipa-otpd daemon and
> connects its stdin/stdout to the socket's client.
And in the container there is no systemd so I emulate it there by just
running a separate daemon listening on that socket which will fork
that ipa-otpd daemon.
> >What is the simplest way to trigger the connection to
> >/var/run/krb5kdc/DEFAULT.socket, for debugging purposes?
> Use socat. Something like
> socat UNIX-LISTEN:/var/run/krb5kdc/DEFAULT.socket,unlink-early,fork EXEC:/usr/libexec/ipa-otpd
I meant, how do I cause the IPA stack (KDC?) to make the connection
and communication with the ipa-otpd daemon?
Also, does the Sync OTP Token operation invoke the ipa-otpd daemon
path (so if Duncan managed to sync the token, it worked for him at
least once) in any way or does it bypass it?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-users
mailing list