[Pki-devel] [pki-devel] [PATCH] 0074-Add-ability-to-disallow-TPS-to-enroll-a-single-user-.patch

Christina Fu cfu at redhat.com
Mon Jun 27 21:25:33 UTC 2016 

Just a few minor ones.

* configuration parameters referencing token existence in tokendb should 
use names begin with "tokendb".  e.g.
     tokendb.allowMultiActiveTokensPerUser.externalReg=false
     tokendb.allowMultiActiveTokensPerUser.nonExternalReg=false

* boolean allowMultiCerts  -- I think the name is misleading.  how about 
alowMultiTokens

* existing calls to tps.tdb.tdbHasActiveToken() need to be decided:
  e.g.
    1. TPSEnrollProcessor.java search for tdbHasActiveToken (first 
occurrence) , you will find that it is called with "TODO:" comment. I 
believe that whole try/catch with the tps.tdb.tdbHasActiveToken(userid); 
call can be removed since you already call that earlier in your patch
     2. TPSEnrollProcessor.java, the 2nd occurrence is when the 
enrolling token is suspended.  You need to look into what it is doing at 
the point and whether that check can also be eliminated.

thanks,
Christina

On 06/24/2016 11:08 AM, John Magne wrote:
> Add ability to disallow TPS to enroll a single user on multiple tokens.
>      
>      This patch will install a check during the early portion of the enrollment
>      process check a configurable policy whether or not a user should be allowed
>      to have more that one active token.
>      
>      This check will take place only for brand new tokens not seen before.
>      The check will prevent the enrollment to proceed and will exit before the system
>      has a chance to add this new token to the TPS tokendb.
>      
>      The behavior will be configurable for the the external reg and not external reg scenarios
>      as follows:
>      
>      op.enroll.nonExternalReg.allowMultiActiveTokensUser=false
>      op.enroll.externalReg.allowMultiActiveTokensUser=false
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160627/7976e5de/attachment.htm>

More information about the Pki-devel mailing list