On 10/05/2011 05:36 PM, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> On Wed, 05 Oct 2011, Rob Crittenden wrote: >>>> I ended up not using raiseonerr=False as all I needed is a way to >>>> break out of the loop on success so that will come sequentially if >>>> there is no exception. >>>> >>>> Patch attached. >>> >>> This works but there is a noticeable pause on my system when ntpdate >>> is being run. I think it would be handy to output a message saying >>> that the date is being updated. >> I'll add the message. >> >>> Is it necessary to sync the date when a one-time password is being >>> used? It doesn't hurt but it does pause a second or three. >> If I understand correctly, our use of OTP term for hosts is different >> from what current IETF draft on OTP preauth with kerberos assumes. >> >> At least, according to IETF draft on OTP preauth with kerberos, >> http://tools.ietf.org/html/draft-ietf-krb-wg-otp-preauth-19#section-2.4 >> client has to submit next key if clocks have drifted which implies you >> cannot re-use the same OTP next time. To me this looks like in OTP >> case clocks synchronization is very important. In our OTP case it does >> not matter except for an artificial delay... > > This is not Kerberos OTP, it does an LDAP simple bind.
It is more like a "nonce", it is not an OTP that can be generated based on some hardware or software token. The Kerberos OTP draft is about those OTPs we are not. We are literally One Time Password. > >> I've added the message. > > Ok, I'll take a look. > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel