On Thu, 2014-02-20 at 09:19 -0500, Nathaniel McCallum wrote: > On Thu, 2014-02-20 at 14:33 +0200, Alexander Bokovoy wrote: > > On Thu, 20 Feb 2014, Alexander Bokovoy wrote: > > >>>>>There is definitely a bug (or more) in ipa-pwd-extop in handling > > >>>>>authentication cases. > > >>>>Some progress on this investigation. > > >>>> > > >>>>Plugin precedence setting is broken in 389-ds. It is only set once, > > >>>>before running init function provided by the plugin and does not take > > >>>>into account all callbacks that the init function may register. As > > >>>>result, all these functions get classified with default precedence (50) > > >>>>and no configuration could change this, we get ipa-pwd-extop's pre-bind > > >>>>callback called before schemacompat's one, thus working on the compat > > >>>>entry DN instead of the new one. Since that entry has no userPassword > > >>>>attribute, OTP code refuses to accept any password. > > >>>> > > >>>>When user is allowed to use password auth along with OTP, the fact that > > >>>>there is no userPassword get ipa-pwd-extop plugin through the failure. > > >>>>schemacompat plugin rewrites the SLAPI_BIND_TARGET_SDN and the rest of > > >>>>389-ds code checks actual password. > > >>>> > > >>>>So we have two issues here: OTP code needs to gracefully ignore entries > > >>>>without userPassword set, and we need to be able to re-arrange > > >>>>schemacompat and ipa-pwd-extop precedence for pre-bind operation. > > >>>> > > >>>>I've filed a ticket https://fedorahosted.org/389/ticket/47699 to work on > > >>>>the latter. > > >>>> > > >>>>The messages from the log are not yet solved... > > >>>Finally, I have a clue after tracing with debug level 1: > > >>>[19/Feb/2014:22:57:10 +0200] - Calling plugin 'ipa-otp-lasttoken' #3 > > >>>type 461 > > >>>[19/Feb/2014:22:57:10 +0200] - slapi_search_internal_set_pb: NULL > > >>>parameter > > >>>[19/Feb/2014:22:57:10 +0200] - allow_operation: component identity is > > >>>NULL > > >>>[19/Feb/2014:22:57:10 +0200] - Calling plugin 'IPA pwd pre ops betxn' #4 > > >>>type 461 > > >>> > > >>>So I'd say it is somewhere in ipa-otp-lasttoken. I'll dig more. > > >>There is an error in libotp's find() function which assumes that > > >>get_basedn() always returns non-NULL value. This is not true for at > > >>least cn=Directory Manager. > > >> > > >>Patch attached. > > >More fixes required, now that Thierry produced the fix for 389-ds ticket > > >47699 which allows to re-arrange schema-compat and ipa-pwd-extop > > >plugins. I'm getting crash in find() in libotp.c for internal search in > > >some other conditions but at least user dn now is the correct one. > > > > > >Stay tuned. > > OK, finally I've got it working -- my last patch had error which could > > be attributed to the late night time. > > > > New patch is attached to fix libotp to work properly with empty base dn > > (such as cn=Directory Manager). > > > > Also I'm attaching the patch that sets precedence of schema-compat > > plugin to 49 (less than default 50). With this patch and 389-ds with > > patch from ticket 47699 compat tree binds work with OTP. > > > > When updated 389-ds-base will be released, we'll need to add Requires: > > to our RPM spec to depend on it. Without the updated 389-ds-base compat > > tree binds will not work with OTP but the rest will be working fine. > > > > Finally, ACK to all OTP patches. > > ACK to both of these patches.
I've merged the first patch here -- https://www.redhat.com/archives/freeipa-devel/2014-February/msg00341.html I just realized the second patch shouldn't be ACK'd until we have a new 389DS release with the fix. When that happens, reissue this patch with an update versioned require. Nathaniel _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
