On 09/19/2014 07:53 PM, Nathaniel McCallum wrote:
This prevents synchronization when an authentication collision occurs.

https://fedorahosted.org/freeipa/ticket/4493

NOTE: this patch is related to the above ticket, but does not solve it.
For the solution, please see patch 0064. This behavior fix is from patch
0062 (rescinded) and is worth keeping.


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Hello Nathaniel,
.

   My understanding is that during a pre_bind, the plugins validates
   token codes (for example "HOTP") checking that step ranges [-25..+25].
   As soon as the token is valid, the new HOTPcounter is written in the
   entry.
   But in case of negative steps,I believe the otp-decrement plugin
   will reject this update.

   If TOTPwatermark is updated and there is a second token code, then
   clockOffset is also updated.
   This update is done during a pre_bind, so if there are parallel
   binds on the server, there is a possibility that TOTPwatermark is
   updated from a bind and 'clockOffset' updated from an other bind.
   An option is to do a single internal modify to update both.

   thanks
   thierry




_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to