freeipa

Clone
Source Code
GIT

e477130 Fix login password expiration detection with OTP

2 files Authored by npmccallum 9 years ago, Committed by pvoborni 9 years ago,
raw patch tree parent
2 files changed. 15 lines added. 31 lines removed.
ipalib/errors.py
file modified
+6 -0
ipaserver/rpcserver.py
file modified
+9 -31 
    Fix login password expiration detection with OTP
    
    The preexisting code would execute two steps. First, it would perform a kinit.
    If the kinit failed, it would attempt to bind using the same credentials to
    determine if the password were expired. While this method is fairly ugly, it
    mostly worked in the past.
    
    However, with OTP this breaks. This is because the OTP code is consumed by
    the kinit step. But because the password is expired, the kinit step fails.
    When the bind is executed, the OTP token is already consumed, so bind fails.
    This causes all password expirations to be reported as invalid credentials.
    
    After discussion with MIT, the best way to handle this case with the standard
    tools is to set LC_ALL=C and check the output from the command. This
    eliminates the bind step altogether. The end result is that OTP works and
    all password failures are more performant.
    
    https://fedorahosted.org/freeipa/ticket/4412
    
    Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
file modified
+6 -0
file modified
+9 -31
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.