On 05/13/2014 09:33 AM, Jan Cholasta wrote:
On 13.5.2014 15:20, Nathaniel McCallum wrote:
On Tue, 2014-05-13 at 15:13 +0200, Jan Cholasta wrote:
Hi,

On 13.5.2014 01:39, Nathaniel McCallum wrote:
The attached patch implements the OTP Token import script. However, it
doesn't work. Specifically, at the bottom of the file, when I call
otptoken-add, I get: Unknown option: digits

If I prefix "ipatoken" to "digits", I get: Unknown option:
ipatokendigits

The attribute is called "ipatokenotpdigits", according to the otptoken
plugin.

Gah! I've been looking at this code too long.

If I remove "**options", I get: invalid 'ipatokenuniqueid':
Gettext('must be Unicode text', domain='ipa', localedir=None)

I guess you are trying to use a str object for ipauniqueid. You must use
a unicode object.

Do I need to convert all the strings from the XML parsing to unicode?

You need to make sure that values of all Str params are all unicode.


If I specify the id manually as u'foo', I get: no context.ldap2 in
thread 'MainThread'

You need to connect to LDAP with ldap2.connect before running any commands.

Is there a canonical example of how to do this?

See CACertManage.ldap_connect in my patch 251.2.


What do I need to do in order to setup and call the otptoken-add command
properly?

Is ipa-otptoken-import intended to be run on IPA servers only? Because I
don't see anything in the code that would mandate that.

No. However, this is part of a long conversation previously on this
list. The parsing and otptoken_add needs to happen on the client-side
because we will catch any failures and write out a client-side "tokens
not added" xml file. We also need to do this because this process may
take a long time (thousands of tokens) and the HTTP API doesn't have
infrastructure for long-running calls.

So the requirement here is that it runs on the client side with a direct
LDAP connection. The bind user should be the user running the script,
not directory manager.

OK, thanks for clarification.

Do not forget to document this part.



Nathaniel




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to