On Thu, 09 Jan 2014, Nathaniel McCallum wrote:
New RPMs are up: http://npmccallum.fedorapeople.org/freeipa-otp/rpms/
Just as a note -- we can use copr service to provide a better experience
for testing. I made a copr repo with previous patchset last year:
http://copr.fedoraproject.org/coprs/abbra/freeipa-otp-unstable/
Any Fedora contributor can make own copr repositories.

WHAT'S NEW IN THE RPMS?
* 389ds OTP Last Token Plugin
* 389ds OTP Sync Plugin
* HOTP token support
* OTP UI is now working

All of the non-UI code is currently on the list. Petr is working on UI
cleanup. You can see all the patches here:
https://github.com/npmccallum/freeipa/tree/otp
https://github.com/npmccallum/freeipa/tree/otpui

KNOWN ISSUES
Setting User Auth Type globally doesn't work:
https://fedorahosted.org/freeipa/ticket/4105

SELinux is broken on F20 (should be fixed in rawhide):
https://bugzilla.redhat.com/show_bug.cgi?id=970163
There seem to be two parts, one is covered by this bug and another one
is related to SSSD/logind communication:

allow sssd_t systemd_logind_var_run_t:dir search;
allow sssd_t systemd_logind_var_run_t:file { read getattr open };

User's can't add their own tokens. A patch to fix this is in the RPMs,
but currently has a bug. A workaround exists. Details are here:
https://www.redhat.com/archives/freeipa-devel/2014-January/msg00068.html

Alexander Bokovoy (I think) found some issues when interacting with
pkinit. I don't know the state of this.
It is unclear what exactly happens but from Jakub Hrozek's testing we
saw that on client side (preauth2.c) in tryagain() code 'pkinit' module
gets control despite 'otp' module returns success and modified pa_data.
'pkinit' cannot process pa_data afterwards and therefore returns error
which is interpreted by the libkrb5 as a failure of preauth processing.

Alexander Bokovoy found a bug with SSSD that has (a few minutes ago)
been patched. Details are here:
https://lists.fedorahosted.org/pipermail/sssd-devel/2014-January/017934.html

STILL NEEDED
* UI patches polished and sent to the list.
* OTP Sync Client (both CLI and UI).
I'll get through the otp patch reviews next week.



Nathaniel

On Fri, 2013-12-13 at 15:57 -0500, Nathaniel McCallum wrote:
This is an email to track the status of the OTP project as we push
toward completion. I'm also attempting to get all the pieces in play so
that they are testable.

RPMs
Available here: http://npmccallum.fedorapeople.org/freeipa-otp/rpms/
These currently contain the CLI and UI patches, but exclude the DS
plugin patch. I will merge this last patch in when submitted to the
list.

OTP CLI
All of the patches are merged except npmccallum-0024, which is
undergoing active review.
https://www.redhat.com/archives/freeipa-devel/2013-December/msg00102.html

OTP UI
Thanks to Petr Vobornik for his set of patches implementing the UI. They
can be found rebased on top of my otp changes here:
https://github.com/npmccallum/freeipa/commits/otpui

Authentication methods and RADIUS proxy support seems to be fully
functional and I have not encountered any bugs. I'm not currently able
to get the OTP UI to show up at all (I may well be doing something
wrong).

I believe Petr plans to clean these up and resubmit them to the list.

One additional patch will be required for the token sync extop.

DS PLUGIN
I am nearing completion on the DS plugin providing support for deletion
protection and the token sync extop. This should hit the list next week.

OTHER
Am I missing anything?

Nathaniel

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to