[Freeipa-users] otp issue: can't log in with password+otp
Nathaniel McCallum
npmccallum at redhat.com
Fri Sep 25 13:15:41 UTC 2015
On Fri, 2015-09-25 at 09:22 +0200, Jan Pazdziora wrote:
> On Fri, Sep 25, 2015 at 10:09:55AM +0300, Alexander Bokovoy wrote:
> > >
> > > Well, we have separate daemon listening on the
> > > /var/run/krb5kdc/DEFAULT.socket in the container which should
> > > start
> > > the ipa-otpd at .service when there's a connection made to it. But
> > > somehow it does not seem to be happening even if I fix the
> > > parsing of
> > > /etc/ipa/default.conf that ipa-otpd at .service is doing.
> > As I wrote earlier, ipa-otpd relies on socket activation feature of
> > systemd -- systemd opens this socket and listens for incoming
> > connections. Any incoming connection causes to start ipa-otpd
> > daemon and
> > connects its stdin/stdout to the socket's client.
>
> And in the container there is no systemd so I emulate it there by
> just
> running a separate daemon listening on that socket which will fork
> that ipa-otpd daemon.
Is it in the same container? Because ipa-otpd uses ldapi.
> > > What is the simplest way to trigger the connection to
> > > /var/run/krb5kdc/DEFAULT.socket, for debugging purposes?
> > Use socat. Something like
> > socat UNIX-LISTEN:/var/run/krb5kdc/DEFAULT.socket,unlink-
> > early,fork EXEC:/usr/libexec/ipa-otpd
>
> I meant, how do I cause the IPA stack (KDC?) to make the connection
> and communication with the ipa-otpd daemon?
>
> Also, does the Sync OTP Token operation invoke the ipa-otpd daemon
> path (so if Duncan managed to sync the token, it worked for him at
> least once) in any way or does it bypass it?
>
More information about the Freeipa-users
mailing list