freeipa

Clone
Source Code
GIT

55d5f91 User must not be able to delete his last active otp token

1 file Authored by frenaud 6 years ago, Committed by cheimes 6 years ago,
raw patch tree parent
1 file changed. 24 lines added. 8 lines removed.
daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
file modified
+24 -8 
    User must not be able to delete his last active otp token
    
    The 389-ds plugin for OTP last token is performing data initialization
    in its ipa_otp_lasttoken_init method, which is wrong according to
    the Plug-in Guide:
    > For example, the init function should not attempt to perform an
    > internal search or other internal operation, because the all of
    > the subsystems are not up and running during the init phase.
    
    This init method fills a structure containing the configuration of
    allowed authentication types. As the method is called too early, the
    method does not find any suffix and leaves the structure empty.
    Subsequent calls find an empty structure and take the default values
    (for authentication methods, the default is 1 = password).
    
    Because of that, the code consider that the global configuration defines
    password authentication method, and in this case it is allowed to delete
    a user's last otp token.
    
    The fix implements a SLAPI_PLUGIN_START_FN method that will be called
    when 389-ds is ready to initialize the plugin data, ensuring that the
    structure is properly initialized.
    
    Fixes:
    https://pagure.io/freeipa/issue/7012
    
    Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
file modified
+24 -8
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.