On 03/29/2014 08:54 AM, Stijn De Weirdt wrote:
hi all,

IMO we should not treat the OTP we set for the host enrollment as a
kerberos password.
I would rather record a time of the creation and validity period when
the password is set in two new attributes. The validity period should be
optional and if not provided copied from a system wide policy that can
be set by default to say 10 min. When we do authentication with OTP we
should check whether we are already beyond the point when the OTP is
valid and fail enrollment.  When we validate and clear OTP we do not
need to change these two attributes, they contain valuable info that
might be queried later.

i like this idea. full host password policy is probably overkill for an OTP that only makes sense once in the lifetime of the host (OTP here means not only is the password itself only valid once; the whole password authentication is only valid/usable once).

btw, is it easy (as in API exists) to add new (site specific) attributes for a host? if so, i can already toy around with it for now. (storing the creation time in it and some cron job might suffice for now)


Freeipa-users mailing list

Here is a starting point.

You need to create
a) Design
- You can destil this thread into couple paragraphs
b) Schema
- try to reuse existing attributes if possible instead of inventing new ones
  - define a new AUXILIARY object class that would contain these attributes
- Load schema into the project, make it a part of the source code, installation and update/upgrade
c) Plugin to manage
- Create a python mgmt framework plugin to set these attributes when the OTP is created.
  - See http://abbra.fedorapeople.org/guide.html on now to do it
- You probably want to make the field(s) visible in the UI but read only to show how much time is left for enrollment, but this can be a separate RFE done later.
d) Enrollment logic
- You need to fix the enrollment logic to validate these new attributes during the enrollment. IMO it should be backward compatible meaning that if host entry does not have these attributes the enrollment does not expire (something to mention on the design page).

It sounds a lot but it is not once you get more experienced with the system. It can you do at least parts of that, would be great.
Good luck!

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to