Re: [Freeipa-devel] [WIP] OTP Token Import
On 05/13/2014 09:33 AM, Jan Cholasta wrote:
On 13.5.2014 15:20, Nathaniel McCallum wrote:
On Tue, 2014-05-13 at 15:13 +0200, Jan Cholasta wrote:
Hi,
On 13.5.2014 01:39, Nathaniel McCallum wrote:
The attached patch implements the OTP Token import script. However, it
doesn't work. Specifically, at the bottom of the file, when I call
otptoken-add, I get: Unknown option: digits
If I prefix "ipatoken" to "digits", I get: Unknown option:
ipatokendigits
The attribute is called "ipatokenotpdigits", according to the otptoken
plugin.
Gah! I've been looking at this code too long.
If I remove "**options", I get: invalid 'ipatokenuniqueid':
Gettext('must be Unicode text', domain='ipa', localedir=None)
I guess you are trying to use a str object for ipauniqueid. You must
use
a unicode object.
Do I need to convert all the strings from the XML parsing to unicode?
You need to make sure that values of all Str params are all unicode.
If I specify the id manually as u'foo', I get: no context.ldap2 in
thread 'MainThread'
You need to connect to LDAP with ldap2.connect before running any
commands.
Is there a canonical example of how to do this?
See CACertManage.ldap_connect in my patch 251.2.
What do I need to do in order to setup and call the otptoken-add
command
properly?
Is ipa-otptoken-import intended to be run on IPA servers only?
Because I
don't see anything in the code that would mandate that.
No. However, this is part of a long conversation previously on this
list. The parsing and otptoken_add needs to happen on the client-side
because we will catch any failures and write out a client-side "tokens
not added" xml file. We also need to do this because this process may
take a long time (thousands of tokens) and the HTTP API doesn't have
infrastructure for long-running calls.
So the requirement here is that it runs on the client side with a direct
LDAP connection. The bind user should be the user running the script,
not directory manager.
OK, thanks for clarification.
Do not forget to document this part.
Nathaniel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [WIP] OTP Token Import
On 13.5.2014 15:20, Nathaniel McCallum wrote:
On Tue, 2014-05-13 at 15:13 +0200, Jan Cholasta wrote:
Hi,
On 13.5.2014 01:39, Nathaniel McCallum wrote:
The attached patch implements the OTP Token import script. However, it
doesn't work. Specifically, at the bottom of the file, when I call
otptoken-add, I get: Unknown option: digits
If I prefix "ipatoken" to "digits", I get: Unknown option:
ipatokendigits
The attribute is called "ipatokenotpdigits", according to the otptoken
plugin.
Gah! I've been looking at this code too long.
If I remove "**options", I get: invalid 'ipatokenuniqueid':
Gettext('must be Unicode text', domain='ipa', localedir=None)
I guess you are trying to use a str object for ipauniqueid. You must use
a unicode object.
Do I need to convert all the strings from the XML parsing to unicode?
You need to make sure that values of all Str params are all unicode.
If I specify the id manually as u'foo', I get: no context.ldap2 in
thread 'MainThread'
You need to connect to LDAP with ldap2.connect before running any commands.
Is there a canonical example of how to do this?
See CACertManage.ldap_connect in my patch 251.2.
What do I need to do in order to setup and call the otptoken-add command
properly?
Is ipa-otptoken-import intended to be run on IPA servers only? Because I
don't see anything in the code that would mandate that.
No. However, this is part of a long conversation previously on this
list. The parsing and otptoken_add needs to happen on the client-side
because we will catch any failures and write out a client-side "tokens
not added" xml file. We also need to do this because this process may
take a long time (thousands of tokens) and the HTTP API doesn't have
infrastructure for long-running calls.
So the requirement here is that it runs on the client side with a direct
LDAP connection. The bind user should be the user running the script,
not directory manager.
OK, thanks for clarification.
Nathaniel
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [WIP] OTP Token Import
On Tue, 2014-05-13 at 15:13 +0200, Jan Cholasta wrote:
> Hi,
>
> On 13.5.2014 01:39, Nathaniel McCallum wrote:
> > The attached patch implements the OTP Token import script. However, it
> > doesn't work. Specifically, at the bottom of the file, when I call
> > otptoken-add, I get: Unknown option: digits
> >
> > If I prefix "ipatoken" to "digits", I get: Unknown option:
> > ipatokendigits
>
> The attribute is called "ipatokenotpdigits", according to the otptoken
> plugin.
Gah! I've been looking at this code too long.
> > If I remove "**options", I get: invalid 'ipatokenuniqueid':
> > Gettext('must be Unicode text', domain='ipa', localedir=None)
>
> I guess you are trying to use a str object for ipauniqueid. You must use
> a unicode object.
Do I need to convert all the strings from the XML parsing to unicode?
> > If I specify the id manually as u'foo', I get: no context.ldap2 in
> > thread 'MainThread'
>
> You need to connect to LDAP with ldap2.connect before running any commands.
Is there a canonical example of how to do this?
> > What do I need to do in order to setup and call the otptoken-add command
> > properly?
>
> Is ipa-otptoken-import intended to be run on IPA servers only? Because I
> don't see anything in the code that would mandate that.
No. However, this is part of a long conversation previously on this
list. The parsing and otptoken_add needs to happen on the client-side
because we will catch any failures and write out a client-side "tokens
not added" xml file. We also need to do this because this process may
take a long time (thousands of tokens) and the HTTP API doesn't have
infrastructure for long-running calls.
So the requirement here is that it runs on the client side with a direct
LDAP connection. The bind user should be the user running the script,
not directory manager.
Nathaniel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [WIP] OTP Token Import
Hi,
On 13.5.2014 01:39, Nathaniel McCallum wrote:
The attached patch implements the OTP Token import script. However, it
doesn't work. Specifically, at the bottom of the file, when I call
otptoken-add, I get: Unknown option: digits
If I prefix "ipatoken" to "digits", I get: Unknown option:
ipatokendigits
The attribute is called "ipatokenotpdigits", according to the otptoken
plugin.
If I remove "**options", I get: invalid 'ipatokenuniqueid':
Gettext('must be Unicode text', domain='ipa', localedir=None)
I guess you are trying to use a str object for ipauniqueid. You must use
a unicode object.
If I specify the id manually as u'foo', I get: no context.ldap2 in
thread 'MainThread'
You need to connect to LDAP with ldap2.connect before running any commands.
What do I need to do in order to setup and call the otptoken-add command
properly?
Is ipa-otptoken-import intended to be run on IPA servers only? Because I
don't see anything in the code that would mandate that.
Honza
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [WIP] OTP Token Import
The attached patch implements the OTP Token import script. However, it
doesn't work. Specifically, at the bottom of the file, when I call
otptoken-add, I get: Unknown option: digits
If I prefix "ipatoken" to "digits", I get: Unknown option:
ipatokendigits
If I remove "**options", I get: invalid 'ipatokenuniqueid':
Gettext('must be Unicode text', domain='ipa', localedir=None)
If I specify the id manually as u'foo', I get: no context.ldap2 in
thread 'MainThread'
What do I need to do in order to setup and call the otptoken-add command
properly?
Nathaniel
>From e5e6cf33d4215f89da60a51d86398d74fe16dffd Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum
Date: Thu, 8 May 2014 11:06:16 -0400
Subject: [PATCH] Import script
---
freeipa.spec.in | 2 +
install/tools/Makefile.am| 1 +
install/tools/ipa-otptoken-import| 29 +++
ipaserver/install/ipa_otptoken_import.py | 365 +++
4 files changed, 397 insertions(+)
create mode 100755 install/tools/ipa-otptoken-import
create mode 100644 ipaserver/install/ipa_otptoken_import.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 4e3fd7351757be773fae0b02c55549910c5b37ad..850cca85b6deb5ce4a5656fb2328c7a4d6bcc8cb 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -307,6 +307,7 @@ Requires: python-netaddr
Requires: libipa_hbac-python
Requires: python-qrcode
Requires: python-pyasn1
+Requires: python-dateutil
Obsoletes: ipa-python >= 1.0
@@ -660,6 +661,7 @@ fi
%{_sbindir}/ipa-csreplica-manage
%{_sbindir}/ipa-server-certinstall
%{_sbindir}/ipa-ldap-updater
+%{_sbindir}/ipa-otptoken-import
%{_sbindir}/ipa-compat-manage
%{_sbindir}/ipa-nis-manage
%{_sbindir}/ipa-managed-entries
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index 2cf66c6dfc1c272bb423253902e7339e7d159567..485be91b7bca2b0f3822a70d0f027793208918c1 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -20,6 +20,7 @@ sbin_SCRIPTS = \
ipa-nis-manage \
ipa-managed-entries \
ipa-ldap-updater \
+ ipa-otptoken-import \
ipa-upgradeconfig \
ipa-backup \
ipa-restore \
diff --git a/install/tools/ipa-otptoken-import b/install/tools/ipa-otptoken-import
new file mode 100755
index ..f4fc00d40ceb6eea91bec0804b2a8d2e833f4fd4
--- /dev/null
+++ b/install/tools/ipa-otptoken-import
@@ -0,0 +1,29 @@
+#! /usr/bin/python2 -E
+# Authors: Nathaniel McCallum
+#
+# Copyright (C) 2013 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see
