Re: [Freeipa-devel] [PATCHES] OTP Patches
On 03/24/2014 02:33 PM, Nathaniel McCallum wrote: > On Wed, 2014-03-19 at 17:37 +0200, Alexander Bokovoy wrote: >> On Fri, 21 Feb 2014, Nathaniel McCallum wrote: >>> On Fri, 2014-02-21 at 00:08 +0200, Alexander Bokovoy wrote: On Thu, 20 Feb 2014, Nathaniel McCallum wrote: > There is an error in libotp's find() function which assumes that > get_basedn() always returns non-NULL value. This is not true for at > least cn=Directory Manager. > > Patch attached. More fixes required, now that Thierry produced the fix for 389-ds ticket 47699 which allows to re-arrange schema-compat and ipa-pwd-extop plugins. I'm getting crash in find() in libotp.c for internal search in some other conditions but at least user dn now is the correct one. Stay tuned. >>> OK, finally I've got it working -- my last patch had error which could >>> be attributed to the late night time. >>> >>> New patch is attached to fix libotp to work properly with empty base dn >>> (such as cn=Directory Manager). >>> >>> Also I'm attaching the patch that sets precedence of schema-compat >>> plugin to 49 (less than default 50). With this patch and 389-ds with >>> patch from ticket 47699 compat tree binds work with OTP. >>> >>> When updated 389-ds-base will be released, we'll need to add Requires: >>> to our RPM spec to depend on it. Without the updated 389-ds-base compat >>> tree binds will not work with OTP but the rest will be working fine. >>> >>> Finally, ACK to all OTP patches. >> >> ACK to both of these patches. > > I've merged the first patch here -- > https://www.redhat.com/archives/freeipa-devel/2014-February/msg00341.html > > I just realized the second patch shouldn't be ACK'd until we have a new > 389DS release with the fix. When that happens, reissue this patch with > an update versioned require. No, it can be safely merged as 389DS will use default precedence (50) unless the fix is there. So the worst we get is the same as now -- OTP binds will not work over compat tree. And when 389DS will be upgraded, they will start working after 389DS restart. >>> >>> But this patch doesn't actually do anything until we get the new version >>> of 389DS. If we are ever going to add a versioned dependency on the new >>> 389DS for this feature, it should go in this patch. Otherwise, it is an >>> ACK from me. >> New 389-DS is in Fedora 20 updates stable and Rawhide already. >> 389-ds-base-1.3.2.16-1.fc20. Also, selinux-policy 3.12.1-135 is now in >> Fedora 20 updates testing, providing multiple policy enhancements that >> make possible Apache process to work with kernel-based credentials >> caches. >> >> Attached patch makes use of the new packages. > > ACK Pushed both patches below: [PATCH 17/17] schema-compat: set precedence to 49 to allow OTP binds over compat tree [PATCH] freeipa.spec.in: update dependencies to 389-ds and selinux-policy to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Wed, 2014-03-19 at 17:37 +0200, Alexander Bokovoy wrote: > On Fri, 21 Feb 2014, Nathaniel McCallum wrote: > >On Fri, 2014-02-21 at 00:08 +0200, Alexander Bokovoy wrote: > >> On Thu, 20 Feb 2014, Nathaniel McCallum wrote: > >> >> > >>There is an error in libotp's find() function which assumes that > >> >> > >>get_basedn() always returns non-NULL value. This is not true for at > >> >> > >>least cn=Directory Manager. > >> >> > >> > >> >> > >>Patch attached. > >> >> > >More fixes required, now that Thierry produced the fix for 389-ds > >> >> > >ticket > >> >> > >47699 which allows to re-arrange schema-compat and ipa-pwd-extop > >> >> > >plugins. I'm getting crash in find() in libotp.c for internal search > >> >> > >in > >> >> > >some other conditions but at least user dn now is the correct one. > >> >> > > > >> >> > >Stay tuned. > >> >> > OK, finally I've got it working -- my last patch had error which could > >> >> > be attributed to the late night time. > >> >> > > >> >> > New patch is attached to fix libotp to work properly with empty base > >> >> > dn > >> >> > (such as cn=Directory Manager). > >> >> > > >> >> > Also I'm attaching the patch that sets precedence of schema-compat > >> >> > plugin to 49 (less than default 50). With this patch and 389-ds with > >> >> > patch from ticket 47699 compat tree binds work with OTP. > >> >> > > >> >> > When updated 389-ds-base will be released, we'll need to add Requires: > >> >> > to our RPM spec to depend on it. Without the updated 389-ds-base > >> >> > compat > >> >> > tree binds will not work with OTP but the rest will be working fine. > >> >> > > >> >> > Finally, ACK to all OTP patches. > >> >> > >> >> ACK to both of these patches. > >> > > >> >I've merged the first patch here -- > >> >https://www.redhat.com/archives/freeipa-devel/2014-February/msg00341.html > >> > > >> >I just realized the second patch shouldn't be ACK'd until we have a new > >> >389DS release with the fix. When that happens, reissue this patch with > >> >an update versioned require. > >> No, it can be safely merged as 389DS will use default precedence (50) > >> unless > >> the fix is there. So the worst we get is the same as now -- OTP binds > >> will not work over compat tree. And when 389DS will be upgraded, they > >> will start working after 389DS restart. > > > >But this patch doesn't actually do anything until we get the new version > >of 389DS. If we are ever going to add a versioned dependency on the new > >389DS for this feature, it should go in this patch. Otherwise, it is an > >ACK from me. > New 389-DS is in Fedora 20 updates stable and Rawhide already. > 389-ds-base-1.3.2.16-1.fc20. Also, selinux-policy 3.12.1-135 is now in > Fedora 20 updates testing, providing multiple policy enhancements that > make possible Apache process to work with kernel-based credentials > caches. > > Attached patch makes use of the new packages. ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Fri, 21 Feb 2014, Nathaniel McCallum wrote: On Fri, 2014-02-21 at 00:08 +0200, Alexander Bokovoy wrote: On Thu, 20 Feb 2014, Nathaniel McCallum wrote: >> > >>There is an error in libotp's find() function which assumes that >> > >>get_basedn() always returns non-NULL value. This is not true for at >> > >>least cn=Directory Manager. >> > >> >> > >>Patch attached. >> > >More fixes required, now that Thierry produced the fix for 389-ds ticket >> > >47699 which allows to re-arrange schema-compat and ipa-pwd-extop >> > >plugins. I'm getting crash in find() in libotp.c for internal search in >> > >some other conditions but at least user dn now is the correct one. >> > > >> > >Stay tuned. >> > OK, finally I've got it working -- my last patch had error which could >> > be attributed to the late night time. >> > >> > New patch is attached to fix libotp to work properly with empty base dn >> > (such as cn=Directory Manager). >> > >> > Also I'm attaching the patch that sets precedence of schema-compat >> > plugin to 49 (less than default 50). With this patch and 389-ds with >> > patch from ticket 47699 compat tree binds work with OTP. >> > >> > When updated 389-ds-base will be released, we'll need to add Requires: >> > to our RPM spec to depend on it. Without the updated 389-ds-base compat >> > tree binds will not work with OTP but the rest will be working fine. >> > >> > Finally, ACK to all OTP patches. >> >> ACK to both of these patches. > >I've merged the first patch here -- >https://www.redhat.com/archives/freeipa-devel/2014-February/msg00341.html > >I just realized the second patch shouldn't be ACK'd until we have a new >389DS release with the fix. When that happens, reissue this patch with >an update versioned require. No, it can be safely merged as 389DS will use default precedence (50) unless the fix is there. So the worst we get is the same as now -- OTP binds will not work over compat tree. And when 389DS will be upgraded, they will start working after 389DS restart. But this patch doesn't actually do anything until we get the new version of 389DS. If we are ever going to add a versioned dependency on the new 389DS for this feature, it should go in this patch. Otherwise, it is an ACK from me. New 389-DS is in Fedora 20 updates stable and Rawhide already. 389-ds-base-1.3.2.16-1.fc20. Also, selinux-policy 3.12.1-135 is now in Fedora 20 updates testing, providing multiple policy enhancements that make possible Apache process to work with kernel-based credentials caches. Attached patch makes use of the new packages. -- / Alexander Bokovoy >From 22d00b5413952f6a6ef2840341dd143999c9ad6e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 19 Mar 2014 17:31:49 +0200 Subject: [PATCH] freeipa.spec.in: update dependencies to 389-ds and selinux-policy 389-ds-base 1.3.2.16 implements reordering of sub-plugins based on the ordering of the main plugin. We need it to make OTP working over compat tree. selinux-polic 3.12.1-135 fixes issues which prevented httpd to work with kernel keyring-based credentials caches. This change is Fedora 20+. --- freeipa.spec.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index c17e939..8658ea8 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -21,7 +21,7 @@ Source0:freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.2.11 +BuildRequires: 389-ds-base-devel >= 1.3.2.16 BuildRequires: svrcore-devel BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} BuildRequires: systemd-units @@ -98,7 +98,7 @@ Group: System Environment/Base Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} -Requires: 389-ds-base >= 1.3.2.11 +Requires: 389-ds-base >= 1.3.2.16 Requires: openldap-clients > 2.4.35-4 %if 0%{?fedora} == 18 Requires: nss >= 3.14.3-2 @@ -139,7 +139,7 @@ Requires: python-memcached Requires: systemd-units >= 38 Requires(pre): systemd-units Requires(post): systemd-units -Requires: selinux-policy >= 3.12.1-65 +Requires: selinux-policy >= 3.12.1-135 Requires(post): selinux-policy-base Requires: slapi-nis >= 0.47.7 Requires: pki-ca >= 10.0.4 -- 1.8.5.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Fri, 2014-02-21 at 00:08 +0200, Alexander Bokovoy wrote: > On Thu, 20 Feb 2014, Nathaniel McCallum wrote: > >> > >>There is an error in libotp's find() function which assumes that > >> > >>get_basedn() always returns non-NULL value. This is not true for at > >> > >>least cn=Directory Manager. > >> > >> > >> > >>Patch attached. > >> > >More fixes required, now that Thierry produced the fix for 389-ds ticket > >> > >47699 which allows to re-arrange schema-compat and ipa-pwd-extop > >> > >plugins. I'm getting crash in find() in libotp.c for internal search in > >> > >some other conditions but at least user dn now is the correct one. > >> > > > >> > >Stay tuned. > >> > OK, finally I've got it working -- my last patch had error which could > >> > be attributed to the late night time. > >> > > >> > New patch is attached to fix libotp to work properly with empty base dn > >> > (such as cn=Directory Manager). > >> > > >> > Also I'm attaching the patch that sets precedence of schema-compat > >> > plugin to 49 (less than default 50). With this patch and 389-ds with > >> > patch from ticket 47699 compat tree binds work with OTP. > >> > > >> > When updated 389-ds-base will be released, we'll need to add Requires: > >> > to our RPM spec to depend on it. Without the updated 389-ds-base compat > >> > tree binds will not work with OTP but the rest will be working fine. > >> > > >> > Finally, ACK to all OTP patches. > >> > >> ACK to both of these patches. > > > >I've merged the first patch here -- > >https://www.redhat.com/archives/freeipa-devel/2014-February/msg00341.html > > > >I just realized the second patch shouldn't be ACK'd until we have a new > >389DS release with the fix. When that happens, reissue this patch with > >an update versioned require. > No, it can be safely merged as 389DS will use default precedence (50) unless > the fix is there. So the worst we get is the same as now -- OTP binds > will not work over compat tree. And when 389DS will be upgraded, they > will start working after 389DS restart. But this patch doesn't actually do anything until we get the new version of 389DS. If we are ever going to add a versioned dependency on the new 389DS for this feature, it should go in this patch. Otherwise, it is an ACK from me. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On 02/20/2014 07:45 PM, Nathaniel McCallum wrote: On Wed, 2014-02-12 at 11:49 -0500, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. Attached are 8 patches, the first 5 of which should be ready for merge: 0001-0004: Already ACK'd by abokovoy; rebased for master VERSION changes 0005: Patch by abokovy; ACK'd by me Pushed these 5 to master: 9a8f44c09e0e78550b126235240214e7b11af081 0006-0008: New patches Patch 0006 is a one-liner easy review. In patch 0008, I change the existing otptoken api. How should I change VERSION in this case since we haven't released the otptoken api yet? Nathaniel This thread is getting very confusing. In the future, could you not reuse the numbers 0001-0008 for different patches? Generally we try to follow the patch naming guide: http://www.freeipa.org/page/Contribute/Patch_Format -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Thu, 20 Feb 2014, Nathaniel McCallum wrote: From ead3ef011667dadacfc817725179f38c05177a00 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Thu, 20 Feb 2014 13:20:01 -0500 Subject: [PATCH 6/8] Fix a typo where self was omitted https://fedorahosted.org/freeipa/ticket/4099 --- ipalib/plugins/otptoken.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index 77c17150d83f0562823698e1ad585ec523f16ad7..6b142989fd306472ede3e0a528fb103cd46fca77 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -80,7 +80,7 @@ class OTPTokenKey(Bytes): except TypeError, e: raise ConversionError(name=self.name, index=index, error=str(e)) -return Bytes._convert_scalar(value, index) +return Bytes._convert_scalar(self, value, index) def _convert_owner(userobj, entry_attrs, options): if 'ipatokenowner' in entry_attrs and not options.get('raw', False): NACK, it should use super() instead: return super(OTPTokenKey, self)._convert_scalar(value, index) see ipalib/parameters.py:1369 as an example. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Thu, 20 Feb 2014, Nathaniel McCallum wrote: > >>There is an error in libotp's find() function which assumes that > >>get_basedn() always returns non-NULL value. This is not true for at > >>least cn=Directory Manager. > >> > >>Patch attached. > >More fixes required, now that Thierry produced the fix for 389-ds ticket > >47699 which allows to re-arrange schema-compat and ipa-pwd-extop > >plugins. I'm getting crash in find() in libotp.c for internal search in > >some other conditions but at least user dn now is the correct one. > > > >Stay tuned. > OK, finally I've got it working -- my last patch had error which could > be attributed to the late night time. > > New patch is attached to fix libotp to work properly with empty base dn > (such as cn=Directory Manager). > > Also I'm attaching the patch that sets precedence of schema-compat > plugin to 49 (less than default 50). With this patch and 389-ds with > patch from ticket 47699 compat tree binds work with OTP. > > When updated 389-ds-base will be released, we'll need to add Requires: > to our RPM spec to depend on it. Without the updated 389-ds-base compat > tree binds will not work with OTP but the rest will be working fine. > > Finally, ACK to all OTP patches. ACK to both of these patches. I've merged the first patch here -- https://www.redhat.com/archives/freeipa-devel/2014-February/msg00341.html I just realized the second patch shouldn't be ACK'd until we have a new 389DS release with the fix. When that happens, reissue this patch with an update versioned require. No, it can be safely merged as 389DS will use default precedence (50) unless the fix is there. So the worst we get is the same as now -- OTP binds will not work over compat tree. And when 389DS will be upgraded, they will start working after 389DS restart. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Fri, 2014-02-14 at 14:13 +0200, Alexander Bokovoy wrote: > On Wed, 12 Feb 2014, Nathaniel McCallum wrote: > >Through the review process, patches are getting shifted around, added, > >deleted, etc. So I'm now just going to be posting all the patches as an > >ordered set. The set attached is ordered according to my preferred merge > >order. It also places easy to review patches up front. I hope this helps > >reviewers. This format will definitely help me manage the patches. > > > >The first three patches should be very easy reviews and can be merged > >independently. > > > >All current patch critiques have, to my knowledge, been addressed in > >this latest series of patches. > ACK for 0006-Add-libotp-internal-library-for-slapi-plugins.patch > > Should we pay attention to changing default from SHA-1 algo to SHA-2 > family (SHA-256, SHA-384, SHA-512)? Unfortunately, Google Authenticator only supports SHA-1. FreeOTP, however, supports them all. If we change the default, we'll have to document that the defaults don't work with GA. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Thu, 2014-02-20 at 09:19 -0500, Nathaniel McCallum wrote: > On Thu, 2014-02-20 at 14:33 +0200, Alexander Bokovoy wrote: > > On Thu, 20 Feb 2014, Alexander Bokovoy wrote: > > >There is definitely a bug (or more) in ipa-pwd-extop in handling > > >authentication cases. > > Some progress on this investigation. > > > > Plugin precedence setting is broken in 389-ds. It is only set once, > > before running init function provided by the plugin and does not take > > into account all callbacks that the init function may register. As > > result, all these functions get classified with default precedence (50) > > and no configuration could change this, we get ipa-pwd-extop's pre-bind > > callback called before schemacompat's one, thus working on the compat > > entry DN instead of the new one. Since that entry has no userPassword > > attribute, OTP code refuses to accept any password. > > > > When user is allowed to use password auth along with OTP, the fact that > > there is no userPassword get ipa-pwd-extop plugin through the failure. > > schemacompat plugin rewrites the SLAPI_BIND_TARGET_SDN and the rest of > > 389-ds code checks actual password. > > > > So we have two issues here: OTP code needs to gracefully ignore entries > > without userPassword set, and we need to be able to re-arrange > > schemacompat and ipa-pwd-extop precedence for pre-bind operation. > > > > I've filed a ticket https://fedorahosted.org/389/ticket/47699 to work on > > the latter. > > > > The messages from the log are not yet solved... > > >>>Finally, I have a clue after tracing with debug level 1: > > >>>[19/Feb/2014:22:57:10 +0200] - Calling plugin 'ipa-otp-lasttoken' #3 > > >>>type 461 > > >>>[19/Feb/2014:22:57:10 +0200] - slapi_search_internal_set_pb: NULL > > >>>parameter > > >>>[19/Feb/2014:22:57:10 +0200] - allow_operation: component identity is > > >>>NULL > > >>>[19/Feb/2014:22:57:10 +0200] - Calling plugin 'IPA pwd pre ops betxn' #4 > > >>>type 461 > > >>> > > >>>So I'd say it is somewhere in ipa-otp-lasttoken. I'll dig more. > > >>There is an error in libotp's find() function which assumes that > > >>get_basedn() always returns non-NULL value. This is not true for at > > >>least cn=Directory Manager. > > >> > > >>Patch attached. > > >More fixes required, now that Thierry produced the fix for 389-ds ticket > > >47699 which allows to re-arrange schema-compat and ipa-pwd-extop > > >plugins. I'm getting crash in find() in libotp.c for internal search in > > >some other conditions but at least user dn now is the correct one. > > > > > >Stay tuned. > > OK, finally I've got it working -- my last patch had error which could > > be attributed to the late night time. > > > > New patch is attached to fix libotp to work properly with empty base dn > > (such as cn=Directory Manager). > > > > Also I'm attaching the patch that sets precedence of schema-compat > > plugin to 49 (less than default 50). With this patch and 389-ds with > > patch from ticket 47699 compat tree binds work with OTP. > > > > When updated 389-ds-base will be released, we'll need to add Requires: > > to our RPM spec to depend on it. Without the updated 389-ds-base compat > > tree binds will not work with OTP but the rest will be working fine. > > > > Finally, ACK to all OTP patches. > > ACK to both of these patches. I've merged the first patch here -- https://www.redhat.com/archives/freeipa-devel/2014-February/msg00341.html I just realized the second patch shouldn't be ACK'd until we have a new 389DS release with the fix. When that happens, reissue this patch with an update versioned require. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Thu, 2014-02-20 at 14:33 +0200, Alexander Bokovoy wrote: > On Thu, 20 Feb 2014, Alexander Bokovoy wrote: > >There is definitely a bug (or more) in ipa-pwd-extop in handling > >authentication cases. > Some progress on this investigation. > > Plugin precedence setting is broken in 389-ds. It is only set once, > before running init function provided by the plugin and does not take > into account all callbacks that the init function may register. As > result, all these functions get classified with default precedence (50) > and no configuration could change this, we get ipa-pwd-extop's pre-bind > callback called before schemacompat's one, thus working on the compat > entry DN instead of the new one. Since that entry has no userPassword > attribute, OTP code refuses to accept any password. > > When user is allowed to use password auth along with OTP, the fact that > there is no userPassword get ipa-pwd-extop plugin through the failure. > schemacompat plugin rewrites the SLAPI_BIND_TARGET_SDN and the rest of > 389-ds code checks actual password. > > So we have two issues here: OTP code needs to gracefully ignore entries > without userPassword set, and we need to be able to re-arrange > schemacompat and ipa-pwd-extop precedence for pre-bind operation. > > I've filed a ticket https://fedorahosted.org/389/ticket/47699 to work on > the latter. > > The messages from the log are not yet solved... > >>>Finally, I have a clue after tracing with debug level 1: > >>>[19/Feb/2014:22:57:10 +0200] - Calling plugin 'ipa-otp-lasttoken' #3 type > >>>461 > >>>[19/Feb/2014:22:57:10 +0200] - slapi_search_internal_set_pb: NULL parameter > >>>[19/Feb/2014:22:57:10 +0200] - allow_operation: component identity is NULL > >>>[19/Feb/2014:22:57:10 +0200] - Calling plugin 'IPA pwd pre ops betxn' #4 > >>>type 461 > >>> > >>>So I'd say it is somewhere in ipa-otp-lasttoken. I'll dig more. > >>There is an error in libotp's find() function which assumes that > >>get_basedn() always returns non-NULL value. This is not true for at > >>least cn=Directory Manager. > >> > >>Patch attached. > >More fixes required, now that Thierry produced the fix for 389-ds ticket > >47699 which allows to re-arrange schema-compat and ipa-pwd-extop > >plugins. I'm getting crash in find() in libotp.c for internal search in > >some other conditions but at least user dn now is the correct one. > > > >Stay tuned. > OK, finally I've got it working -- my last patch had error which could > be attributed to the late night time. > > New patch is attached to fix libotp to work properly with empty base dn > (such as cn=Directory Manager). > > Also I'm attaching the patch that sets precedence of schema-compat > plugin to 49 (less than default 50). With this patch and 389-ds with > patch from ticket 47699 compat tree binds work with OTP. > > When updated 389-ds-base will be released, we'll need to add Requires: > to our RPM spec to depend on it. Without the updated 389-ds-base compat > tree binds will not work with OTP but the rest will be working fine. > > Finally, ACK to all OTP patches. ACK to both of these patches. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Thu, 20 Feb 2014, Alexander Bokovoy wrote: There is definitely a bug (or more) in ipa-pwd-extop in handling authentication cases. Some progress on this investigation. Plugin precedence setting is broken in 389-ds. It is only set once, before running init function provided by the plugin and does not take into account all callbacks that the init function may register. As result, all these functions get classified with default precedence (50) and no configuration could change this, we get ipa-pwd-extop's pre-bind callback called before schemacompat's one, thus working on the compat entry DN instead of the new one. Since that entry has no userPassword attribute, OTP code refuses to accept any password. When user is allowed to use password auth along with OTP, the fact that there is no userPassword get ipa-pwd-extop plugin through the failure. schemacompat plugin rewrites the SLAPI_BIND_TARGET_SDN and the rest of 389-ds code checks actual password. So we have two issues here: OTP code needs to gracefully ignore entries without userPassword set, and we need to be able to re-arrange schemacompat and ipa-pwd-extop precedence for pre-bind operation. I've filed a ticket https://fedorahosted.org/389/ticket/47699 to work on the latter. The messages from the log are not yet solved... Finally, I have a clue after tracing with debug level 1: [19/Feb/2014:22:57:10 +0200] - Calling plugin 'ipa-otp-lasttoken' #3 type 461 [19/Feb/2014:22:57:10 +0200] - slapi_search_internal_set_pb: NULL parameter [19/Feb/2014:22:57:10 +0200] - allow_operation: component identity is NULL [19/Feb/2014:22:57:10 +0200] - Calling plugin 'IPA pwd pre ops betxn' #4 type 461 So I'd say it is somewhere in ipa-otp-lasttoken. I'll dig more. There is an error in libotp's find() function which assumes that get_basedn() always returns non-NULL value. This is not true for at least cn=Directory Manager. Patch attached. More fixes required, now that Thierry produced the fix for 389-ds ticket 47699 which allows to re-arrange schema-compat and ipa-pwd-extop plugins. I'm getting crash in find() in libotp.c for internal search in some other conditions but at least user dn now is the correct one. Stay tuned. OK, finally I've got it working -- my last patch had error which could be attributed to the late night time. New patch is attached to fix libotp to work properly with empty base dn (such as cn=Directory Manager). Also I'm attaching the patch that sets precedence of schema-compat plugin to 49 (less than default 50). With this patch and 389-ds with patch from ticket 47699 compat tree binds work with OTP. When updated 389-ds-base will be released, we'll need to add Requires: to our RPM spec to depend on it. Without the updated 389-ds-base compat tree binds will not work with OTP but the rest will be working fine. Finally, ACK to all OTP patches. -- / Alexander Bokovoy >From de0c56f98b4558a591cc0d416815141c0cbdfbf3 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 19 Feb 2014 23:24:29 +0200 Subject: [PATCH 16/17] libotp: do not call internal search for NULL dn --- daemons/ipa-slapi-plugins/libotp/libotp.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/libotp/libotp.c b/daemons/ipa-slapi-plugins/libotp/libotp.c index 31cc591..e6c8eaa 100644 --- a/daemons/ipa-slapi-plugins/libotp/libotp.c +++ b/daemons/ipa-slapi-plugins/libotp/libotp.c @@ -332,6 +332,7 @@ static struct otptoken **find(Slapi_ComponentId *id, const char *user_dn, Slapi_PBlock *pb = NULL; Slapi_DN *sdn = NULL; char *filter = NULL; +const char *basedn = NULL; size_t count = 0; int result = -1; @@ -362,8 +363,12 @@ static struct otptoken **find(Slapi_ComponentId *id, const char *user_dn, if (sdn == NULL) goto error; +basedn = get_basedn(sdn); +if (basedn == NULL) +goto error; + /* Find all user tokens. */ -slapi_search_internal_set_pb(pb, get_basedn(sdn), +slapi_search_internal_set_pb(pb, basedn, LDAP_SCOPE_SUBTREE, filter, NULL, 0, NULL, NULL, id, 0); } -- 1.8.5.3 >From fa4e982f7c424bad9105b283cee34a1758fa6e9d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 20 Feb 2014 12:18:16 +0200 Subject: [PATCH 17/17] schema-compat: set precedence to 49 to allow OTP binds over compat tree schema-compat plugin rewrites bind DN to point to the original entry on LDAP bind operation. To work with OTP tokens this requires that schema-compat's pre-bind callback is called before pre-bind callback of the ipa-pwd-extop plugin. Therefore, schema-compat plugin should have a nsslapd-pluginprecedence value lower than (default) 50 which is used by the ipa-pwd-extop plugin. Note that this will only work if ticket 47699 is fixed in 389-ds. --- install/share/schema_compat.uldif | 4 install/updates/10-schema_compat.update | 7
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Wed, 19 Feb 2014, Alexander Bokovoy wrote: On Wed, 19 Feb 2014, Alexander Bokovoy wrote: On Mon, 17 Feb 2014, Alexander Bokovoy wrote: On Thu, 13 Feb 2014, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. I have tested all the patches altogether, including Web UI patches, and everything works. I have set up a COPR repo for others to try: http://copr.fedoraproject.org/coprs/abbra/freeipa-otp-unstable/ However, there is one issue which I was not yet able to pin-point in the SLAPI plugins. During FreeIPA install and later on actual use I see these in the dirsrv error log: [13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL [13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL [13/Feb/2014:14:33:01 +0200] - SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN plugin returned error code -1 [13/Feb/2014:14:33:11 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:33:11 +0200] - allow_operation: component identity is NULL [13/Feb/2014:14:45:53 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:45:53 +0200] - allow_operation: component identity is NULL Additionally, when slapi-nis is enabled, LDAP bind with identity from compat tree fails for OTP use and succeeds for password authentication. In compat tree we are doing this trick: 1731 /* Otherwise force rewrite of the SLAPI_BIND_TARGET_SDN 1732 * and let other plugins to handle it. 1733 * slapi-nis should have plugin ordering set below standard 50 to succeed */ 1734 slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &sdn); 1735 if (sdn != NULL) { 1736 slapi_sdn_free(&sdn); 1737 } 1738 sdn = slapi_sdn_new_dn_byref(ndn); 1739 slapi_pblock_set(pb, SLAPI_BIND_TARGET_SDN, (void*)sdn); 1740 ret = 0; 1741 } I tried to play with plugin precedence and it didn't really help. There is definitely a bug (or more) in ipa-pwd-extop in handling authentication cases. Some progress on this investigation. Plugin precedence setting is broken in 389-ds. It is only set once, before running init function provided by the plugin and does not take into account all callbacks that the init function may register. As result, all these functions get classified with default precedence (50) and no configuration could change this, we get ipa-pwd-extop's pre-bind callback called before schemacompat's one, thus working on the compat entry DN instead of the new one. Since that entry has no userPassword attribute, OTP code refuses to accept any password. When user is allowed to use password auth along with OTP, the fact that there is no userPassword get ipa-pwd-extop plugin through the failure. schemacompat plugin rewrites the SLAPI_BIND_TARGET_SDN and the rest of 389-ds code checks actual password. So we have two issues here: OTP code needs to gracefully ignore entries without userPassword set, and we need to be able to re-arrange schemacompat and ipa-pwd-extop precedence for pre-bind operation. I've filed a ticket https://fedorahosted.org/389/ticket/47699 to work on the latter. The messages from the log are not yet solved... Finally, I have a clue after tracing with debug level 1: [19/Feb/2014:22:57:10 +0200] - Calling plugin 'ipa-otp-lasttoken' #3 type 461 [19/Feb/2014:22:57:10 +0200] - slapi_search_internal_set_pb: NULL parameter [19/Feb/2014:22:57:10 +0200] - allow_operation: component identity is NULL [19/Feb/2014:22:57:10 +0200] - Calling plugin 'IPA pwd pre ops betxn' #4 type 461 So I'd say it is somewhere in ipa-otp-lasttoken. I'll dig more. There is an error in libotp's find() function which assumes that get_basedn() always returns non-NULL value. This is not true for at least cn=Directory Manager. Patch attached. More fixes required, now that Thierry produced the fix for 389-ds ticket 47699 which allows to re-arrange schema-compat and ipa-pwd-extop plugins. I'm getting crash in find() in libotp.c for internal search in some other conditions but at least user dn now is the correct one. Stay tuned. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mai
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Wed, 19 Feb 2014, Alexander Bokovoy wrote: On Mon, 17 Feb 2014, Alexander Bokovoy wrote: On Thu, 13 Feb 2014, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. I have tested all the patches altogether, including Web UI patches, and everything works. I have set up a COPR repo for others to try: http://copr.fedoraproject.org/coprs/abbra/freeipa-otp-unstable/ However, there is one issue which I was not yet able to pin-point in the SLAPI plugins. During FreeIPA install and later on actual use I see these in the dirsrv error log: [13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL [13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL [13/Feb/2014:14:33:01 +0200] - SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN plugin returned error code -1 [13/Feb/2014:14:33:11 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:33:11 +0200] - allow_operation: component identity is NULL [13/Feb/2014:14:45:53 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:45:53 +0200] - allow_operation: component identity is NULL Additionally, when slapi-nis is enabled, LDAP bind with identity from compat tree fails for OTP use and succeeds for password authentication. In compat tree we are doing this trick: 1731 /* Otherwise force rewrite of the SLAPI_BIND_TARGET_SDN 1732 * and let other plugins to handle it. 1733 * slapi-nis should have plugin ordering set below standard 50 to succeed */ 1734 slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &sdn); 1735 if (sdn != NULL) { 1736 slapi_sdn_free(&sdn); 1737 } 1738 sdn = slapi_sdn_new_dn_byref(ndn); 1739 slapi_pblock_set(pb, SLAPI_BIND_TARGET_SDN, (void*)sdn); 1740 ret = 0; 1741 } I tried to play with plugin precedence and it didn't really help. There is definitely a bug (or more) in ipa-pwd-extop in handling authentication cases. Some progress on this investigation. Plugin precedence setting is broken in 389-ds. It is only set once, before running init function provided by the plugin and does not take into account all callbacks that the init function may register. As result, all these functions get classified with default precedence (50) and no configuration could change this, we get ipa-pwd-extop's pre-bind callback called before schemacompat's one, thus working on the compat entry DN instead of the new one. Since that entry has no userPassword attribute, OTP code refuses to accept any password. When user is allowed to use password auth along with OTP, the fact that there is no userPassword get ipa-pwd-extop plugin through the failure. schemacompat plugin rewrites the SLAPI_BIND_TARGET_SDN and the rest of 389-ds code checks actual password. So we have two issues here: OTP code needs to gracefully ignore entries without userPassword set, and we need to be able to re-arrange schemacompat and ipa-pwd-extop precedence for pre-bind operation. I've filed a ticket https://fedorahosted.org/389/ticket/47699 to work on the latter. The messages from the log are not yet solved... Finally, I have a clue after tracing with debug level 1: [19/Feb/2014:22:57:10 +0200] - Calling plugin 'ipa-otp-lasttoken' #3 type 461 [19/Feb/2014:22:57:10 +0200] - slapi_search_internal_set_pb: NULL parameter [19/Feb/2014:22:57:10 +0200] - allow_operation: component identity is NULL [19/Feb/2014:22:57:10 +0200] - Calling plugin 'IPA pwd pre ops betxn' #4 type 461 So I'd say it is somewhere in ipa-otp-lasttoken. I'll dig more. There is an error in libotp's find() function which assumes that get_basedn() always returns non-NULL value. This is not true for at least cn=Directory Manager. Patch attached. -- / Alexander Bokovoy >From c91c69fb05f5411ce2a583fc4678ce10cb31e894 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 19 Feb 2014 23:24:29 +0200 Subject: [PATCH 16/16] libotp: do not call internal search for NULL dn --- daemons/ipa-slapi-plugins/libotp/libotp.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/libotp/libotp.c b/daemons/ipa-slapi-plugins/libotp/libotp.c index 31cc591..e7119f0 100644 --- a/daemons/ipa-sla
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Mon, 17 Feb 2014, Alexander Bokovoy wrote: On Thu, 13 Feb 2014, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. I have tested all the patches altogether, including Web UI patches, and everything works. I have set up a COPR repo for others to try: http://copr.fedoraproject.org/coprs/abbra/freeipa-otp-unstable/ However, there is one issue which I was not yet able to pin-point in the SLAPI plugins. During FreeIPA install and later on actual use I see these in the dirsrv error log: [13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL [13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL [13/Feb/2014:14:33:01 +0200] - SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN plugin returned error code -1 [13/Feb/2014:14:33:11 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:33:11 +0200] - allow_operation: component identity is NULL [13/Feb/2014:14:45:53 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:45:53 +0200] - allow_operation: component identity is NULL Additionally, when slapi-nis is enabled, LDAP bind with identity from compat tree fails for OTP use and succeeds for password authentication. In compat tree we are doing this trick: 1731 /* Otherwise force rewrite of the SLAPI_BIND_TARGET_SDN 1732 * and let other plugins to handle it. 1733 * slapi-nis should have plugin ordering set below standard 50 to succeed */ 1734 slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &sdn); 1735 if (sdn != NULL) { 1736 slapi_sdn_free(&sdn); 1737 } 1738 sdn = slapi_sdn_new_dn_byref(ndn); 1739 slapi_pblock_set(pb, SLAPI_BIND_TARGET_SDN, (void*)sdn); 1740 ret = 0; 1741 } I tried to play with plugin precedence and it didn't really help. There is definitely a bug (or more) in ipa-pwd-extop in handling authentication cases. Some progress on this investigation. Plugin precedence setting is broken in 389-ds. It is only set once, before running init function provided by the plugin and does not take into account all callbacks that the init function may register. As result, all these functions get classified with default precedence (50) and no configuration could change this, we get ipa-pwd-extop's pre-bind callback called before schemacompat's one, thus working on the compat entry DN instead of the new one. Since that entry has no userPassword attribute, OTP code refuses to accept any password. When user is allowed to use password auth along with OTP, the fact that there is no userPassword get ipa-pwd-extop plugin through the failure. schemacompat plugin rewrites the SLAPI_BIND_TARGET_SDN and the rest of 389-ds code checks actual password. So we have two issues here: OTP code needs to gracefully ignore entries without userPassword set, and we need to be able to re-arrange schemacompat and ipa-pwd-extop precedence for pre-bind operation. I've filed a ticket https://fedorahosted.org/389/ticket/47699 to work on the latter. The messages from the log are not yet solved... Finally, I have a clue after tracing with debug level 1: [19/Feb/2014:22:57:10 +0200] - Calling plugin 'ipa-otp-lasttoken' #3 type 461 [19/Feb/2014:22:57:10 +0200] - slapi_search_internal_set_pb: NULL parameter [19/Feb/2014:22:57:10 +0200] - allow_operation: component identity is NULL [19/Feb/2014:22:57:10 +0200] - Calling plugin 'IPA pwd pre ops betxn' #4 type 461 So I'd say it is somewhere in ipa-otp-lasttoken. I'll dig more. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Tue, 18 Feb 2014, Petr Viktorin wrote: On 02/17/2014 06:17 PM, Alexander Bokovoy wrote: On Mon, 17 Feb 2014, Nathaniel McCallum wrote: On Wed, 2014-02-12 at 11:49 -0500, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. Attached are the four remaining patches that have not yet been merged. I have re-ordered them so that reviews can continue in parallel while I track down the two remaining bugs in ipa-pwd-extop. This means the first two patches should be ready for review/merger. 0004 -- ACK. Wait, 0004? The last one? Nathaniel modified 0004 in a later mail (removed oktodo()), so I'll not push this one. Yes, no need to push the patchset yet, we are still looking for the remaining issue with errors I see in the logs. I'm going to do a clean install today/tomorrow (how time permits) to find out what was wrong with dirsrv setup, if any. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On 02/17/2014 06:17 PM, Alexander Bokovoy wrote: On Mon, 17 Feb 2014, Nathaniel McCallum wrote: On Wed, 2014-02-12 at 11:49 -0500, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. Attached are the four remaining patches that have not yet been merged. I have re-ordered them so that reviews can continue in parallel while I track down the two remaining bugs in ipa-pwd-extop. This means the first two patches should be ready for review/merger. 0004 -- ACK. Wait, 0004? The last one? Nathaniel modified 0004 in a later mail (removed oktodo()), so I'll not push this one. SLAPI_PLUGIN_OPRETURN is used by 389-ds to notify post-callbacks of the result of the actual operation. In the BIND case it is set before running post-callbacks to the result of actual bind operation so that post-callbacks know what has happened and can fetch it. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Mon, 17 Feb 2014, Nathaniel McCallum wrote: On Mon, 2014-02-17 at 12:32 +0200, Alexander Bokovoy wrote: On Thu, 13 Feb 2014, Alexander Bokovoy wrote: >On Wed, 12 Feb 2014, Nathaniel McCallum wrote: >>Through the review process, patches are getting shifted around, added, >>deleted, etc. So I'm now just going to be posting all the patches as an >>ordered set. The set attached is ordered according to my preferred merge >>order. It also places easy to review patches up front. I hope this helps >>reviewers. This format will definitely help me manage the patches. >> >>The first three patches should be very easy reviews and can be merged >>independently. >> >>All current patch critiques have, to my knowledge, been addressed in >>this latest series of patches. >I have tested all the patches altogether, including Web UI patches, and >everything works. > >I have set up a COPR repo for others to try: >http://copr.fedoraproject.org/coprs/abbra/freeipa-otp-unstable/ > >However, there is one issue which I was not yet able to pin-point in the >SLAPI plugins. During FreeIPA install and later on actual use I see >these in the dirsrv error log: > >[13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter >[13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL >[13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter >[13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL >[13/Feb/2014:14:33:01 +0200] - SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN plugin returned error code -1 >[13/Feb/2014:14:33:11 +0200] - slapi_search_internal_set_pb: NULL parameter >[13/Feb/2014:14:33:11 +0200] - allow_operation: component identity is NULL >[13/Feb/2014:14:45:53 +0200] - slapi_search_internal_set_pb: NULL parameter >[13/Feb/2014:14:45:53 +0200] - allow_operation: component identity is NULL > >Additionally, when slapi-nis is enabled, LDAP bind with identity from >compat tree fails for OTP use and succeeds for password authentication. > >In compat tree we are doing this trick: >1731 /* Otherwise force rewrite of the >SLAPI_BIND_TARGET_SDN 1732 * and let >other plugins to handle it. >1733 * slapi-nis should have plugin ordering set below standard 50 to succeed */ >1734 slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &sdn); >1735 if (sdn != NULL) { >1736 slapi_sdn_free(&sdn); >1737 } >1738 sdn = slapi_sdn_new_dn_byref(ndn); >1739 slapi_pblock_set(pb, SLAPI_BIND_TARGET_SDN, (void*)sdn); >1740 ret = 0; >1741 } > >I tried to play with plugin precedence and it didn't really help. > >There is definitely a bug (or more) in ipa-pwd-extop in handling >authentication cases. Some progress on this investigation. Plugin precedence setting is broken in 389-ds. It is only set once, before running init function provided by the plugin and does not take into account all callbacks that the init function may register. As result, all these functions get classified with default precedence (50) and no configuration could change this, we get ipa-pwd-extop's pre-bind callback called before schemacompat's one, thus working on the compat entry DN instead of the new one. Since that entry has no userPassword attribute, OTP code refuses to accept any password. When user is allowed to use password auth along with OTP, the fact that there is no userPassword get ipa-pwd-extop plugin through the failure. schemacompat plugin rewrites the SLAPI_BIND_TARGET_SDN and the rest of 389-ds code checks actual password. So we have two issues here: OTP code needs to gracefully ignore entries without userPassword set, and we need to be able to re-arrange schemacompat and ipa-pwd-extop precedence for pre-bind operation. If schemacompat goes first, it rewrites the TARGET_SDN to the correct entry. This entry should have userPassword set, no? Yes, it should. However, if somebody binds with an entry that has no userPassword, it is not business of ipa-pwd-extop pre-bind callbacks to decide what to answer, we have 389-ds core logic for that already. I've filed a ticket https://fedorahosted.org/389/ticket/47699 to work on the latter. The messages from the log are not yet solved... I've spent the better part of today trying to reproduce this and I haven't been able to yet. Can you reproduce the problem in a clean install? Yes, that's my plan, hopefully tomorrow. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Mon, 2014-02-17 at 12:32 +0200, Alexander Bokovoy wrote: > On Thu, 13 Feb 2014, Alexander Bokovoy wrote: > >On Wed, 12 Feb 2014, Nathaniel McCallum wrote: > >>Through the review process, patches are getting shifted around, added, > >>deleted, etc. So I'm now just going to be posting all the patches as an > >>ordered set. The set attached is ordered according to my preferred merge > >>order. It also places easy to review patches up front. I hope this helps > >>reviewers. This format will definitely help me manage the patches. > >> > >>The first three patches should be very easy reviews and can be merged > >>independently. > >> > >>All current patch critiques have, to my knowledge, been addressed in > >>this latest series of patches. > >I have tested all the patches altogether, including Web UI patches, and > >everything works. > > > >I have set up a COPR repo for others to try: > >http://copr.fedoraproject.org/coprs/abbra/freeipa-otp-unstable/ > > > >However, there is one issue which I was not yet able to pin-point in the > >SLAPI plugins. During FreeIPA install and later on actual use I see > >these in the dirsrv error log: > > > >[13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter > >[13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL > >[13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter > >[13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL > >[13/Feb/2014:14:33:01 +0200] - SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN plugin > >returned error code -1 > >[13/Feb/2014:14:33:11 +0200] - slapi_search_internal_set_pb: NULL parameter > >[13/Feb/2014:14:33:11 +0200] - allow_operation: component identity is NULL > >[13/Feb/2014:14:45:53 +0200] - slapi_search_internal_set_pb: NULL parameter > >[13/Feb/2014:14:45:53 +0200] - allow_operation: component identity is NULL > > > >Additionally, when slapi-nis is enabled, LDAP bind with identity from > >compat tree fails for OTP use and succeeds for password authentication. > > > >In compat tree we are doing this trick: > >1731 /* Otherwise force rewrite of the > >SLAPI_BIND_TARGET_SDN 1732 * and let > >other plugins to handle it. > >1733 * slapi-nis should have plugin ordering set below standard > >50 to succeed */ > >1734 slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &sdn); > >1735 if (sdn != NULL) { > >1736 slapi_sdn_free(&sdn); > >1737 } > >1738 sdn = slapi_sdn_new_dn_byref(ndn); > >1739 slapi_pblock_set(pb, SLAPI_BIND_TARGET_SDN, (void*)sdn); > >1740 ret = 0; > >1741 } > > > >I tried to play with plugin precedence and it didn't really help. > > > >There is definitely a bug (or more) in ipa-pwd-extop in handling > >authentication cases. > Some progress on this investigation. > > Plugin precedence setting is broken in 389-ds. It is only set once, > before running init function provided by the plugin and does not take > into account all callbacks that the init function may register. As > result, all these functions get classified with default precedence (50) > and no configuration could change this, we get ipa-pwd-extop's pre-bind > callback called before schemacompat's one, thus working on the compat > entry DN instead of the new one. Since that entry has no userPassword > attribute, OTP code refuses to accept any password. > > When user is allowed to use password auth along with OTP, the fact that > there is no userPassword get ipa-pwd-extop plugin through the failure. > schemacompat plugin rewrites the SLAPI_BIND_TARGET_SDN and the rest of > 389-ds code checks actual password. > > So we have two issues here: OTP code needs to gracefully ignore entries > without userPassword set, and we need to be able to re-arrange > schemacompat and ipa-pwd-extop precedence for pre-bind operation. If schemacompat goes first, it rewrites the TARGET_SDN to the correct entry. This entry should have userPassword set, no? > I've filed a ticket https://fedorahosted.org/389/ticket/47699 to work on > the latter. > > The messages from the log are not yet solved... I've spent the better part of today trying to reproduce this and I haven't been able to yet. Can you reproduce the problem in a clean install? Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Mon, 17 Feb 2014, Nathaniel McCallum wrote: From 357cc6a40c58f3f88f8e86c5224f2c042ab974d8 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Mon, 16 Dec 2013 16:19:08 -0500 Subject: [PATCH 2/4] Add OTP last token plugin This plugin prevents the deletion or deactivation of the last valid token for a user. This prevents the user from migrating back to single factor authentication once OTP has been enabled. Thanks to Mark Reynolds for helping me with this patch. --- daemons/configure.ac | 1 + daemons/ipa-slapi-plugins/Makefile.am | 1 + .../ipa-otp-lasttoken/Makefile.am | 28 .../ipa-otp-lasttoken/ipa-otp-lasttoken.sym| 1 + .../ipa-otp-lasttoken/ipa_otp_lasttoken.c | 183 + .../ipa-otp-lasttoken/otp-lasttoken-conf.ldif | 15 ++ freeipa.spec.in| 2 + ipaserver/install/dsinstance.py| 4 + 8 files changed, 235 insertions(+) create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-lasttoken/Makefile.am create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa-otp-lasttoken.sym create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-lasttoken/otp-lasttoken-conf.ldif diff --git a/daemons/configure.ac b/daemons/configure.ac index e5bf7f552c0d85acc7ae14e3da05ab8c948daa93..b4507a6d972f854331925e72869898576bdfd76f 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -314,6 +314,7 @@ AC_CONFIG_FILES([ ipa-slapi-plugins/ipa-dns/Makefile ipa-slapi-plugins/ipa-enrollment/Makefile ipa-slapi-plugins/ipa-lockout/Makefile +ipa-slapi-plugins/ipa-otp-lasttoken/Makefile ipa-slapi-plugins/ipa-pwd-extop/Makefile ipa-slapi-plugins/ipa-extdom-extop/Makefile ipa-slapi-plugins/ipa-winsync/Makefile diff --git a/daemons/ipa-slapi-plugins/Makefile.am b/daemons/ipa-slapi-plugins/Makefile.am index 40725d2259d09010d2f82381543fc77d84435040..06e6ee8b86f138cce05f2184ac98c39ffaf9757f 100644 --- a/daemons/ipa-slapi-plugins/Makefile.am +++ b/daemons/ipa-slapi-plugins/Makefile.am @@ -7,6 +7,7 @@ SUBDIRS = \ ipa-enrollment \ ipa-lockout \ ipa-modrdn \ + ipa-otp-lasttoken \ ipa-pwd-extop \ ipa-extdom-extop\ ipa-uuid\ diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/Makefile.am b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/Makefile.am new file mode 100644 index ..1e3869bfda9f8fd14cd4d93d0d466780932ac40f --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/Makefile.am @@ -0,0 +1,28 @@ +MAINTAINERCLEANFILES = *~ Makefile.in +PLUGIN_COMMON_DIR = ../common +AM_CPPFLAGS = \ + -I. \ + -I$(srcdir) \ + -I$(srcdir)/../libotp \ + -I$(PLUGIN_COMMON_DIR) \ + -I/usr/include/dirsrv \ + -DPREFIX=\""$(prefix)"\"\ + -DBINDIR=\""$(bindir)"\"\ + -DLIBDIR=\""$(libdir)"\"\ + -DLIBEXECDIR=\""$(libexecdir)"\"\ + -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS)\ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) + +plugindir = $(libdir)/dirsrv/plugins +plugin_LTLIBRARIES = libipa_otp_lasttoken.la +libipa_otp_lasttoken_la_SOURCES = ipa_otp_lasttoken.c +libipa_otp_lasttoken_la_LDFLAGS = -avoid-version -export-symbols ipa-otp-lasttoken.sym +libipa_otp_lasttoken_la_LIBADD = \ + $(LDAP_LIBS)\ + $(builddir)/../libotp/libotp.la + +appdir = $(IPA_DATA_DIR) +app_DATA = otp-lasttoken-conf.ldif +EXTRA_DIST = $(app_DATA) diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa-otp-lasttoken.sym b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa-otp-lasttoken.sym new file mode 100644 index ..e32dc32f5693547bf604480490f42511368fdb81 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa-otp-lasttoken.sym @@ -0,0 +1 @@ +ipa_otp_lasttoken_init diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c new file mode 100644 index ..4abeb671e29b40cdf9b005ff5bc6b12c6d91bb30 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c @@ -0,0 +1,183 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software;
Re: [Freeipa-devel] [PATCHES] OTP Patches
On patch 0001: On Mon, 17 Feb 2014, Nathaniel McCallum wrote: index 9cb9d71a81bc1f1089017a2236b4b7b94946ed35..8ab09e92b64b6a2f31c9c25d61a7dacc9fa608e8 100644 --- a/VERSION +++ b/VERSION @@ -90,4 +90,4 @@ IPA_DATA_VERSION=2010061412 IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=73 -# Last change: pviktori - Managed permissions +# Last change: npmccallum - HOTP support Please also update IPA_API_VERSION_MINOR to the next one (74) -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Mon, 17 Feb 2014, Nathaniel McCallum wrote: On Wed, 2014-02-12 at 11:49 -0500, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. Attached are the four remaining patches that have not yet been merged. I have re-ordered them so that reviews can continue in parallel while I track down the two remaining bugs in ipa-pwd-extop. This means the first two patches should be ready for review/merger. 0004 -- ACK. SLAPI_PLUGIN_OPRETURN is used by 389-ds to notify post-callbacks of the result of the actual operation. In the BIND case it is set before running post-callbacks to the result of actual bind operation so that post-callbacks know what has happened and can fetch it. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Thu, 13 Feb 2014, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. I have tested all the patches altogether, including Web UI patches, and everything works. I have set up a COPR repo for others to try: http://copr.fedoraproject.org/coprs/abbra/freeipa-otp-unstable/ However, there is one issue which I was not yet able to pin-point in the SLAPI plugins. During FreeIPA install and later on actual use I see these in the dirsrv error log: [13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL [13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL [13/Feb/2014:14:33:01 +0200] - SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN plugin returned error code -1 [13/Feb/2014:14:33:11 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:33:11 +0200] - allow_operation: component identity is NULL [13/Feb/2014:14:45:53 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:45:53 +0200] - allow_operation: component identity is NULL Additionally, when slapi-nis is enabled, LDAP bind with identity from compat tree fails for OTP use and succeeds for password authentication. In compat tree we are doing this trick: 1731 /* Otherwise force rewrite of the SLAPI_BIND_TARGET_SDN 1732 * and let other plugins to handle it. 1733 * slapi-nis should have plugin ordering set below standard 50 to succeed */ 1734 slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &sdn); 1735 if (sdn != NULL) { 1736 slapi_sdn_free(&sdn); 1737 } 1738 sdn = slapi_sdn_new_dn_byref(ndn); 1739 slapi_pblock_set(pb, SLAPI_BIND_TARGET_SDN, (void*)sdn); 1740 ret = 0; 1741 } I tried to play with plugin precedence and it didn't really help. There is definitely a bug (or more) in ipa-pwd-extop in handling authentication cases. Some progress on this investigation. Plugin precedence setting is broken in 389-ds. It is only set once, before running init function provided by the plugin and does not take into account all callbacks that the init function may register. As result, all these functions get classified with default precedence (50) and no configuration could change this, we get ipa-pwd-extop's pre-bind callback called before schemacompat's one, thus working on the compat entry DN instead of the new one. Since that entry has no userPassword attribute, OTP code refuses to accept any password. When user is allowed to use password auth along with OTP, the fact that there is no userPassword get ipa-pwd-extop plugin through the failure. schemacompat plugin rewrites the SLAPI_BIND_TARGET_SDN and the rest of 389-ds code checks actual password. So we have two issues here: OTP code needs to gracefully ignore entries without userPassword set, and we need to be able to re-arrange schemacompat and ipa-pwd-extop precedence for pre-bind operation. I've filed a ticket https://fedorahosted.org/389/ticket/47699 to work on the latter. The messages from the log are not yet solved... -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On 02/14/2014 12:37 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. ACK for 0004-ipa-kdb-validate-that-an-OTP-user-has-tokens.patch Pushed to master: fd55da9a27f76611b01c38c2741c13652d6a3e60 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On 02/14/2014 01:13 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. ACK for 0006-Add-libotp-internal-library-for-slapi-plugins.patch Should we pay attention to changing default from SHA-1 algo to SHA-2 family (SHA-256, SHA-384, SHA-512)? Pushed to master: 93d99c92b31adda35804868116b967c5e8d391b8 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On 02/14/2014 12:39 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. ACK for 0005-Enable-building-in-C99-mode.patch We may want to further improve setting -Werror after compiler was set up in configure, but I'm not really sure it is needed at this point. Pushed to master: 5c299758b9d26c4d233f49b92e18c558558dea5c -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Wed, 12 Feb 2014, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. ACK for 0006-Add-libotp-internal-library-for-slapi-plugins.patch Should we pay attention to changing default from SHA-1 algo to SHA-2 family (SHA-256, SHA-384, SHA-512)? -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Wed, 12 Feb 2014, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. ACK for 0005-Enable-building-in-C99-mode.patch We may want to further improve setting -Werror after compiler was set up in configure, but I'm not really sure it is needed at this point. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Wed, 12 Feb 2014, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. ACK for 0004-ipa-kdb-validate-that-an-OTP-user-has-tokens.patch -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On 02/13/2014 06:56 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. 0001-Fix-OTP-token-names-labels.patch - ACK 0002-Fix-generation-of-invalid-OTP-URIs.patch - ACK 0003-Update-ACIs-to-permit-users-to-add.patch - ACK Pushed to master: a91c0972b992dbd15e78f2ba6982768ac958e4bd -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Wed, 12 Feb 2014, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. 0001-Fix-OTP-token-names-labels.patch - ACK 0002-Fix-generation-of-invalid-OTP-URIs.patch - ACK 0003-Update-ACIs-to-permit-users-to-add.patch - ACK -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] OTP Patches
On Wed, 12 Feb 2014, Nathaniel McCallum wrote: Through the review process, patches are getting shifted around, added, deleted, etc. So I'm now just going to be posting all the patches as an ordered set. The set attached is ordered according to my preferred merge order. It also places easy to review patches up front. I hope this helps reviewers. This format will definitely help me manage the patches. The first three patches should be very easy reviews and can be merged independently. All current patch critiques have, to my knowledge, been addressed in this latest series of patches. I have tested all the patches altogether, including Web UI patches, and everything works. I have set up a COPR repo for others to try: http://copr.fedoraproject.org/coprs/abbra/freeipa-otp-unstable/ However, there is one issue which I was not yet able to pin-point in the SLAPI plugins. During FreeIPA install and later on actual use I see these in the dirsrv error log: [13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL [13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL [13/Feb/2014:14:33:01 +0200] - SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN plugin returned error code -1 [13/Feb/2014:14:33:11 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:33:11 +0200] - allow_operation: component identity is NULL [13/Feb/2014:14:45:53 +0200] - slapi_search_internal_set_pb: NULL parameter [13/Feb/2014:14:45:53 +0200] - allow_operation: component identity is NULL Additionally, when slapi-nis is enabled, LDAP bind with identity from compat tree fails for OTP use and succeeds for password authentication. In compat tree we are doing this trick: 1731 /* Otherwise force rewrite of the SLAPI_BIND_TARGET_SDN 1732 * and let other plugins to handle it. 1733 * slapi-nis should have plugin ordering set below standard 50 to succeed */ 1734 slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &sdn); 1735 if (sdn != NULL) { 1736 slapi_sdn_free(&sdn); 1737 } 1738 sdn = slapi_sdn_new_dn_byref(ndn); 1739 slapi_pblock_set(pb, SLAPI_BIND_TARGET_SDN, (void*)sdn); 1740 ret = 0; 1741 } I tried to play with plugin precedence and it didn't really help. There is definitely a bug (or more) in ipa-pwd-extop in handling authentication cases. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel