Re: [Freeipa-devel] [PATCH 0066] Make ipatokenTOTPwatermark a required attribute
On Thu, 2014-09-18 at 14:27 -0400, Simo Sorce wrote: > On Thu, 18 Sep 2014 14:22:07 -0400 > Nathaniel McCallum wrote: > > > On Thu, 2014-09-18 at 14:18 -0400, Simo Sorce wrote: > > > On Thu, 18 Sep 2014 13:56:44 -0400 > > > Nathaniel McCallum wrote: > > > > > > > -objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME > > > > 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' > > > > MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ > > > > ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep) MAY > > > > (ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') +objectClasses: > > > > (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken > > > > STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ > > > > ipatokenOTPalgorithm $ ipatokenOTPdigits $ > > > > ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep $ > > > > ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') > > > > > > NACK, you cannot move from MAY to MUST. > > > > This is precisely what we have been discussing on IRC today. The > > consensus was that this was acceptable because of the update plugin > > and the rarity of the state in which a token would not have > > ipatokenTOTPwatermark set (the token has to be created an never used). > > Sorry I was not around, but it is never acceptable, as it may cause > replication failures. > > This has been a long (albeit perhaps unspoken) rule in changing schema > in FreeIPA. > > Existing objectlasses can *never* gain new MUST attributes. This rule > is rigid and is non-negotiable. I rescind this patch. It is no longer necessary. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0066] Make ipatokenTOTPwatermark a required attribute
On 19.9.2014 17:06, Simo Sorce wrote: On Fri, 19 Sep 2014 09:08:46 +0200 Ludwig Krispenz wrote: On 09/18/2014 08:27 PM, Simo Sorce wrote: On Thu, 18 Sep 2014 14:22:07 -0400 Nathaniel McCallum wrote: On Thu, 2014-09-18 at 14:18 -0400, Simo Sorce wrote: On Thu, 18 Sep 2014 13:56:44 -0400 Nathaniel McCallum wrote: snip NACK, you cannot move from MAY to MUST. This is precisely what we have been discussing on IRC today. The consensus was that this was acceptable because of the update plugin and the rarity of the state in which a token would not have ipatokenTOTPwatermark set (the token has to be created an never used). Sorry I was not around, but it is never acceptable, as it may cause replication failures. I agree that this shouldn't be done, although replication should not be a problem, the consumer relies on the schema checking of the server where the operation was originally applied. But problems may show up for existing entries, if you have an an entry without attr A, which now becomes MUST and then do any modification on this entry, after the mod the entry will be schema checked, the missing attribute detected and the mod rejected This has been a long (albeit perhaps unspoken) rule in changing schema in FreeIPA. if you want to define the rules for schema change somewhere, you should add this as well: never make a multivalued attribute singlevalued Ok I added this new page: http://www.freeipa.org/page/Schema_Handling Thanks for the page, very helpful. I would like to add a link to it in http://www.freeipa.org/page/Contribute/Code if I get a review and an ack for the page. Existing objectlasses can *never* gain new MUST attributes. This rule is rigid and is non-negotiable. If you want to ensure that every entry has a specific attribute, but connot enforce this by the schema, an option would be to define a CoS rule for this attr which defines a default and gives the real attr precedence Yeah this is a good idea, should we add a section in that page with advice on how to handle situations where you'd like to change an objectclass/attribute but are not allowed by our rules ? +1 Would be helpful as well. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0066] Make ipatokenTOTPwatermark a required attribute
On Fri, 19 Sep 2014 09:08:46 +0200 Ludwig Krispenz wrote: > > On 09/18/2014 08:27 PM, Simo Sorce wrote: > > On Thu, 18 Sep 2014 14:22:07 -0400 > > Nathaniel McCallum wrote: > > > >> On Thu, 2014-09-18 at 14:18 -0400, Simo Sorce wrote: > >>> On Thu, 18 Sep 2014 13:56:44 -0400 > >>> Nathaniel McCallum wrote: > >>> > -objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME > 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' > MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ > ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep) MAY > (ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') +objectClasses: > (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken > STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ > ipatokenOTPalgorithm $ ipatokenOTPdigits $ > ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep $ > ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') > >>> NACK, you cannot move from MAY to MUST. > >> This is precisely what we have been discussing on IRC today. The > >> consensus was that this was acceptable because of the update plugin > >> and the rarity of the state in which a token would not have > >> ipatokenTOTPwatermark set (the token has to be created an never > >> used). > > Sorry I was not around, but it is never acceptable, as it may cause > > replication failures. > I agree that this shouldn't be done, although replication should not > be a problem, the consumer relies on the schema checking of the > server where the operation was originally applied. > But problems may show up for existing entries, if you have an an > entry without attr A, which now becomes MUST and then do any > modification on this entry, after the mod the entry will be schema > checked, the missing attribute detected and the mod rejected > > > > This has been a long (albeit perhaps unspoken) rule in changing > > schema in FreeIPA. > if you want to define the rules for schema change somewhere, you > should add this as well: never make a multivalued attribute > singlevalued Ok I added this new page: http://www.freeipa.org/page/Schema_Handling I would like to add a link to it in http://www.freeipa.org/page/Contribute/Code if I get a review and an ack for the page. > > > > Existing objectlasses can *never* gain new MUST attributes. This > > rule is rigid and is non-negotiable. > > If you want to ensure that every entry has a specific attribute, but > connot enforce this by the schema, an option would be to define a CoS > rule for this attr which defines a default and gives the real attr > precedence Yeah this is a good idea, should we add a section in that page with advice on how to handle situations where you'd like to change an objectclass/attribute but are not allowed by our rules ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0066] Make ipatokenTOTPwatermark a required attribute
On 09/18/2014 08:27 PM, Simo Sorce wrote: On Thu, 18 Sep 2014 14:22:07 -0400 Nathaniel McCallum wrote: On Thu, 2014-09-18 at 14:18 -0400, Simo Sorce wrote: On Thu, 18 Sep 2014 13:56:44 -0400 Nathaniel McCallum wrote: -objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep) MAY (ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') +objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep $ ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') NACK, you cannot move from MAY to MUST. This is precisely what we have been discussing on IRC today. The consensus was that this was acceptable because of the update plugin and the rarity of the state in which a token would not have ipatokenTOTPwatermark set (the token has to be created an never used). Sorry I was not around, but it is never acceptable, as it may cause replication failures. I agree that this shouldn't be done, although replication should not be a problem, the consumer relies on the schema checking of the server where the operation was originally applied. But problems may show up for existing entries, if you have an an entry without attr A, which now becomes MUST and then do any modification on this entry, after the mod the entry will be schema checked, the missing attribute detected and the mod rejected This has been a long (albeit perhaps unspoken) rule in changing schema in FreeIPA. if you want to define the rules for schema change somewhere, you should add this as well: never make a multivalued attribute singlevalued Existing objectlasses can *never* gain new MUST attributes. This rule is rigid and is non-negotiable. If you want to ensure that every entry has a specific attribute, but connot enforce this by the schema, an option would be to define a CoS rule for this attr which defines a default and gives the real attr precedence Sorry. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0066] Make ipatokenTOTPwatermark a required attribute
On Thu, 18 Sep 2014 14:22:07 -0400 Nathaniel McCallum wrote: > On Thu, 2014-09-18 at 14:18 -0400, Simo Sorce wrote: > > On Thu, 18 Sep 2014 13:56:44 -0400 > > Nathaniel McCallum wrote: > > > > > -objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME > > > 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' > > > MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ > > > ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep) MAY > > > (ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') +objectClasses: > > > (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken > > > STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ > > > ipatokenOTPalgorithm $ ipatokenOTPdigits $ > > > ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep $ > > > ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') > > > > NACK, you cannot move from MAY to MUST. > > This is precisely what we have been discussing on IRC today. The > consensus was that this was acceptable because of the update plugin > and the rarity of the state in which a token would not have > ipatokenTOTPwatermark set (the token has to be created an never used). Sorry I was not around, but it is never acceptable, as it may cause replication failures. This has been a long (albeit perhaps unspoken) rule in changing schema in FreeIPA. Existing objectlasses can *never* gain new MUST attributes. This rule is rigid and is non-negotiable. Sorry. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0066] Make ipatokenTOTPwatermark a required attribute
On Thu, 2014-09-18 at 14:18 -0400, Simo Sorce wrote: > On Thu, 18 Sep 2014 13:56:44 -0400 > Nathaniel McCallum wrote: > > > -objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' > > SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ > > ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ > > ipatokenTOTPtimeStep) MAY (ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') > > +objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' > > SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ > > ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ > > ipatokenTOTPtimeStep $ ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') > > NACK, you cannot move from MAY to MUST. This is precisely what we have been discussing on IRC today. The consensus was that this was acceptable because of the update plugin and the rarity of the state in which a token would not have ipatokenTOTPwatermark set (the token has to be created an never used). Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0066] Make ipatokenTOTPwatermark a required attribute
On Thu, 18 Sep 2014 13:56:44 -0400 Nathaniel McCallum wrote: > -objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' > SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ > ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ > ipatokenTOTPtimeStep) MAY (ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') > +objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' > SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ > ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ > ipatokenTOTPtimeStep $ ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') NACK, you cannot move from MAY to MUST. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0066] Make ipatokenTOTPwatermark a required attribute
On Thu, 2014-09-18 at 13:56 -0400, Nathaniel McCallum wrote: > This makes ipatokenTOTPwatermark have exactly the same semantics as > ipatokenHOTPcounter. > > NOTE: This patch includes an update plugin which will update existing > token objects. This should be low impact since it only updates TOTP > tokens which have never been used. TOTP tokens which have already been > used should already have ipatokenTOTPwatermark set. FYI, this patch is now a prerequisite of my patch 0062. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0066] Make ipatokenTOTPwatermark a required attribute
This makes ipatokenTOTPwatermark have exactly the same semantics as ipatokenHOTPcounter. NOTE: This patch includes an update plugin which will update existing token objects. This should be low impact since it only updates TOTP tokens which have never been used. TOTP tokens which have already been used should already have ipatokenTOTPwatermark set. From 30581e26faaebbc2fad3c1d80303f0a6ce3ad8cf Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Thu, 18 Sep 2014 13:45:46 -0400 Subject: [PATCH] Make ipatokenTOTPwatermark a required attribute This makes ipatokenTOTPwatermark have exactly the same semantics as ipatokenHOTPcounter. --- install/share/70ipaotp.ldif| 2 +- ipalib/plugins/otptoken.py | 10 - ipaserver/install/plugins/Makefile.am | 1 + ipaserver/install/plugins/update_totp_otptokens.py | 49 ++ 4 files changed, 60 insertions(+), 2 deletions(-) create mode 100644 ipaserver/install/plugins/update_totp_otptokens.py diff --git a/install/share/70ipaotp.ldif b/install/share/70ipaotp.ldif index bc95556682ef65ba375aa2f3cab6f53621641b3f..b35ddc7796559df4588d8d140f01ef049ec12bd2 100644 --- a/install/share/70ipaotp.ldif +++ b/install/share/70ipaotp.ldif @@ -25,7 +25,7 @@ attributeTypes: (2.16.840.1.113730.3.8.16.1.20 NAME 'ipatokenUserMapAttribute' D attributeTypes: (2.16.840.1.113730.3.8.16.1.21 NAME 'ipatokenHOTPcounter' DESC 'HOTP counter' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.22 NAME 'ipatokenTOTPwatermark' DESC 'TOTP watermark' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $ managedBy $ ipatokenOwner $ ipatokenDisabled $ ipatokenNotBefore $ ipatokenNotAfter $ ipatokenVendor $ ipatokenModel $ ipatokenSerial) X-ORIGIN 'IPA OTP') -objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep) MAY (ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') +objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep $ ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.3 NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MAY (ipatokenRadiusConfigLink $ ipatokenRadiusUserName) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.4 NAME 'ipatokenRadiusConfiguration' SUP top STRUCTURAL DESC 'Proxy Radius Configuration' MUST (cn $ ipatokenRadiusServer $ ipatokenRadiusSecret) MAY (description $ ipatokenRadiusTimeout $ ipatokenRadiusRetries $ ipatokenUserMapAttribute) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.5 NAME 'ipatokenHOTP' SUP ipaToken STRUCTURAL DESC 'HOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenHOTPcounter) X-ORIGIN 'IPA OTP') diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index 1bd85d4b952dc51ea800ed37c49b3c50aeb31492..37b505d09e49bc7f7a46a3e6cc69beeceff8e5c4 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -62,7 +62,7 @@ EXAMPLES: register = Registry() TOKEN_TYPES = { -u'totp': ['ipatokentotpclockoffset', 'ipatokentotptimestep'], +u'totp': ['ipatokentotpclockoffset', 'ipatokentotptimestep', 'ipatokentotpwatermark'], u'hotp': ['ipatokenhotpcounter'] } @@ -237,6 +237,14 @@ class otptoken(LDAPObject): minvalue=0, flags=('no_update'), ), +Int('ipatokentotpwatermark', +cli_name='counter', +label=_('Counter'), +default=0, +autofill=True, +minvalue=0, +flags=('no_output', 'no_option'), +), ) diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index 7cf0495131b2108ee78a79758cee42ec344652c7..afc78c4241d7e35664f1c1feba6e1c3c21dd45d0 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -9,6 +9,7 @@ app_PYTHON = \ dns.py \ updateclient.py \ update_services.py \ + update_totp_otptokens.py \ update_anonymous_aci.py \ update_pacs.py \ ca_renewal_master.py \ diff --git a/ipaserver/install/plugins/update_totp_otptokens.py b/ipaserver/install/plugins/update_totp_otptokens.py new file mode 100644 index ..eeb9d55fd1a4ade25366de1e2afb7f2fb69f644f --- /dev/null +++ b/ipaserver/install/plugins/update_totp_otptokens.py @@ -0,0 +1,49 @@ +# Auth