On 14.7.2014 21:01, Nathaniel McCallum wrote:
The preexisting code would execute two steps. First, it would perform a
kinit. If the kinit failed, it would attempt to bind using the same
credentials to determine if the password were expired. While this method
is fairly ugly, it mostly worked in the past.

However, with OTP this breaks. This is because the OTP code is consumed
by the kinit step. But because the password is expired, the kinit step
fails. When the bind is executed, the OTP token is already consumed, so
bind fails. This causes all password expirations to be reported as
invalid credentials.

After discussion with MIT, the best way to handle this case with the
standard tools is to set LC_ALL=C and check the output from the command.
This eliminates the bind step altogether. The end result is that OTP
works and all password failures are more performant.



Pushed to:
master: e4771302812388cc7f9773ce48d0bc3b34855248
ipa-4-1: e4771302812388cc7f9773ce48d0bc3b34855248
ipa-4-0: e4771302812388cc7f9773ce48d0bc3b34855248

Initially, when testing, I got preauthentication error because I had old version of krb5: 1.11.5-4 instead of 1.11.5-5.

Should we add version dependency >= 1.11.5-5 to spec file?
Petr Vobornik

Freeipa-devel mailing list

Reply via email to