On 05/13/2014 09:33 AM, Jan Cholasta wrote:
On 13.5.2014 15:20, Nathaniel McCallum wrote:
On Tue, 2014-05-13 at 15:13 +0200, Jan Cholasta wrote:

On 13.5.2014 01:39, Nathaniel McCallum wrote:
The attached patch implements the OTP Token import script. However, it
doesn't work. Specifically, at the bottom of the file, when I call
otptoken-add, I get: Unknown option: digits

If I prefix "ipatoken" to "digits", I get: Unknown option:

The attribute is called "ipatokenotpdigits", according to the otptoken

Gah! I've been looking at this code too long.

If I remove "**options", I get: invalid 'ipatokenuniqueid':
Gettext('must be Unicode text', domain='ipa', localedir=None)

I guess you are trying to use a str object for ipauniqueid. You must use
a unicode object.

Do I need to convert all the strings from the XML parsing to unicode?

You need to make sure that values of all Str params are all unicode.

If I specify the id manually as u'foo', I get: no context.ldap2 in
thread 'MainThread'

You need to connect to LDAP with ldap2.connect before running any commands.

Is there a canonical example of how to do this?

See CACertManage.ldap_connect in my patch 251.2.

What do I need to do in order to setup and call the otptoken-add command

Is ipa-otptoken-import intended to be run on IPA servers only? Because I
don't see anything in the code that would mandate that.

No. However, this is part of a long conversation previously on this
list. The parsing and otptoken_add needs to happen on the client-side
because we will catch any failures and write out a client-side "tokens
not added" xml file. We also need to do this because this process may
take a long time (thousands of tokens) and the HTTP API doesn't have
infrastructure for long-running calls.

So the requirement here is that it runs on the client side with a direct
LDAP connection. The bind user should be the user running the script,
not directory manager.

OK, thanks for clarification.

Do not forget to document this part.


Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Freeipa-devel mailing list

Reply via email to