In attempting to write an OTP synchronization client, I've noticed it doesn't fit into the framework very well. The job of the client is to perform the synchronization extended operation. The format of the request is this:
OTPSyncRequestValue ::= SEQUENCE { userDN OCTET STRING, tokenDN [0] OCTET STRING OPTIONAL, firstFactor [1] OCTET STRING OPTIONAL, firstCode INTEGER, secondCode INTEGER } In all cases, the user MUST provide two token codes and MAY provide the DN of a token to sync. >From here two cases exist: bound and unbound. In the unbound case, both the userDN and firstFactor fields are required and authentication is performed internally. In the bound case, the client has already bound (usually via a kerberos ticket). In this case, the client must provide userDN only. There are two options here. First, the client can generate the userDN automatically from the kerberos ticket metadata. Second, the extop plugin can make the userDN field optional and simply rely on the internal bind DN. This is my preferred route, and will require a new revision of the otp sync patch (no problem). In this second case, if the user is bound, the DS plugin would ignore the values of userDN/firstFactor. Assuming the second case to be true, how do I write a command in the framework that will attempt a krb5 bind and then prompt for username/password if the bind fails? Also, how do I, on the client side, without any bind to LDAP translate the username to the userDN? The same is true for the token ID to DN translation? Would it be better to write this code independently of the FreeIPA client command framework? Nathaniel _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel