On Thu, 18 Sep 2014 13:59:34 -0400
Nathaniel McCallum <npmccal...@redhat.com> wrote:

> On Thu, 2014-09-18 at 14:00 +0200, Petr Vobornik wrote:
> > On 15.9.2014 21:08, Nathaniel McCallum wrote:
> > > On Thu, 2014-08-28 at 22:54 -0400, Nathaniel McCallum wrote:
> > >> This prevents any local attempt at rapid token code replay. If
> > >> two token codes hit the system at roughly the same moment, only
> > >> the first write will succeed. All subsequent authentications
> > >> will fail.
> > >>
> > >> This obviates the need for an OTP authentication lock.
> > >>
> > >> https://fedorahosted.org/freeipa/ticket/4493
> > >
> > > I still need a review of this. This is targeted for 4.1.
> > >
> > > Nathaniel
> > >
> > 
> > 
> > Works fine with HTOP but fails for new TOTP tokens.
> > 
> > New TOTP token doesn't have a watermark attribute set so there is 
> > nothing to delete and therefore standard login procedure fails on 
> > writeattr call (libotp.c:223).
> 
> I have fixed this by making ipatokenTOTPwatermark a required attribute
> (MAY -> MUST). I did this in a separate patch (0066) because I thought
> it was cleaner.

This can easily break stuff, and is not allowed, sorry you need to find
a way that will not cause objects, even temporarily to be incomplete.

(think of a replica getting the new schema while an older one pushes
the object via replication)

Simo.

> https://www.redhat.com/archives/freeipa-devel/2014-September/msg00386.html
> 
> There is no change to this patch, but it now depends on my patch 0066
> (linked above).
> 
> Nathaniel
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel



-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to