On Thu, 2014-02-20 at 14:33 +0200, Alexander Bokovoy wrote: > On Thu, 20 Feb 2014, Alexander Bokovoy wrote: > >>>>>There is definitely a bug (or more) in ipa-pwd-extop in handling > >>>>>authentication cases. > >>>>Some progress on this investigation. > >>>> > >>>>Plugin precedence setting is broken in 389-ds. It is only set once, > >>>>before running init function provided by the plugin and does not take > >>>>into account all callbacks that the init function may register. As > >>>>result, all these functions get classified with default precedence (50) > >>>>and no configuration could change this, we get ipa-pwd-extop's pre-bind > >>>>callback called before schemacompat's one, thus working on the compat > >>>>entry DN instead of the new one. Since that entry has no userPassword > >>>>attribute, OTP code refuses to accept any password. > >>>> > >>>>When user is allowed to use password auth along with OTP, the fact that > >>>>there is no userPassword get ipa-pwd-extop plugin through the failure. > >>>>schemacompat plugin rewrites the SLAPI_BIND_TARGET_SDN and the rest of > >>>>389-ds code checks actual password. > >>>> > >>>>So we have two issues here: OTP code needs to gracefully ignore entries > >>>>without userPassword set, and we need to be able to re-arrange > >>>>schemacompat and ipa-pwd-extop precedence for pre-bind operation. > >>>> > >>>>I've filed a ticket https://fedorahosted.org/389/ticket/47699 to work on > >>>>the latter. > >>>> > >>>>The messages from the log are not yet solved... > >>>Finally, I have a clue after tracing with debug level 1: > >>>[19/Feb/2014:22:57:10 +0200] - Calling plugin 'ipa-otp-lasttoken' #3 type > >>>461 > >>>[19/Feb/2014:22:57:10 +0200] - slapi_search_internal_set_pb: NULL parameter > >>>[19/Feb/2014:22:57:10 +0200] - allow_operation: component identity is NULL > >>>[19/Feb/2014:22:57:10 +0200] - Calling plugin 'IPA pwd pre ops betxn' #4 > >>>type 461 > >>> > >>>So I'd say it is somewhere in ipa-otp-lasttoken. I'll dig more. > >>There is an error in libotp's find() function which assumes that > >>get_basedn() always returns non-NULL value. This is not true for at > >>least cn=Directory Manager. > >> > >>Patch attached. > >More fixes required, now that Thierry produced the fix for 389-ds ticket > >47699 which allows to re-arrange schema-compat and ipa-pwd-extop > >plugins. I'm getting crash in find() in libotp.c for internal search in > >some other conditions but at least user dn now is the correct one. > > > >Stay tuned. > OK, finally I've got it working -- my last patch had error which could > be attributed to the late night time. > > New patch is attached to fix libotp to work properly with empty base dn > (such as cn=Directory Manager). > > Also I'm attaching the patch that sets precedence of schema-compat > plugin to 49 (less than default 50). With this patch and 389-ds with > patch from ticket 47699 compat tree binds work with OTP. > > When updated 389-ds-base will be released, we'll need to add Requires: > to our RPM spec to depend on it. Without the updated 389-ds-base compat > tree binds will not work with OTP but the rest will be working fine. > > Finally, ACK to all OTP patches.
ACK to both of these patches. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel