On Thu, 2014-02-20 at 14:33 +0200, Alexander Bokovoy wrote:
> On Thu, 20 Feb 2014, Alexander Bokovoy wrote:
> >>>>>There is definitely a bug (or more) in ipa-pwd-extop in handling
> >>>>>authentication cases.
> >>>>Some progress on this investigation.
> >>>>
> >>>>Plugin precedence setting is broken in 389-ds. It is only set once,
> >>>>before running init function provided by the plugin and does not take
> >>>>into account all callbacks that the init function may register. As
> >>>>result, all these functions get classified with default precedence (50)
> >>>>and no configuration could change this, we get ipa-pwd-extop's pre-bind
> >>>>callback called before schemacompat's one, thus working on the compat
> >>>>entry DN instead of the new one. Since that entry has no userPassword
> >>>>attribute, OTP code refuses to accept any password.
> >>>>
> >>>>When user is allowed to use password auth along with OTP, the fact that
> >>>>there is no userPassword get ipa-pwd-extop plugin through the failure.
> >>>>schemacompat plugin rewrites the SLAPI_BIND_TARGET_SDN and the rest of
> >>>>389-ds code checks actual password.
> >>>>
> >>>>So we have two issues here: OTP code needs to gracefully ignore entries
> >>>>without userPassword set, and we need to be able to re-arrange
> >>>>schemacompat and ipa-pwd-extop precedence for pre-bind operation.
> >>>>
> >>>>I've filed a ticket https://fedorahosted.org/389/ticket/47699 to work on
> >>>>the latter.
> >>>>
> >>>>The messages from the log are not yet solved...
> >>>Finally, I have a clue after tracing with debug level 1:
> >>>[19/Feb/2014:22:57:10 +0200] - Calling plugin 'ipa-otp-lasttoken' #3 type 
> >>>461
> >>>[19/Feb/2014:22:57:10 +0200] - slapi_search_internal_set_pb: NULL parameter
> >>>[19/Feb/2014:22:57:10 +0200] - allow_operation: component identity is NULL
> >>>[19/Feb/2014:22:57:10 +0200] - Calling plugin 'IPA pwd pre ops betxn' #4 
> >>>type 461
> >>>
> >>>So I'd say it is somewhere in ipa-otp-lasttoken. I'll dig more.
> >>There is an error in libotp's find() function which assumes that
> >>get_basedn() always returns non-NULL value. This is not true for at
> >>least cn=Directory Manager.
> >>
> >>Patch attached.
> >More fixes required, now that Thierry produced the fix for 389-ds ticket
> >47699 which allows to re-arrange schema-compat and ipa-pwd-extop
> >plugins. I'm getting crash in find() in libotp.c for internal search in
> >some other conditions but at least user dn now is the correct one.
> >
> >Stay tuned.
> OK, finally I've got it working -- my last patch had error which could
> be attributed to the late night time.
> New patch is attached to fix libotp to work properly with empty base dn
> (such as cn=Directory Manager).
> Also I'm attaching the patch that sets precedence of schema-compat
> plugin to 49 (less than default 50). With this patch and 389-ds with
> patch from ticket 47699 compat tree binds work with OTP.
> When updated 389-ds-base will be released, we'll need to add Requires:
> to our RPM spec to depend on it. Without the updated 389-ds-base compat
> tree binds will not work with OTP but the rest will be working fine.
> Finally, ACK to all OTP patches.

ACK to both of these patches.

Freeipa-devel mailing list

Reply via email to