To prevent the replay attacks against a single server in OTP case the user entry should be "virtually locked" between the beginning of the authentication request and the moment the counts and HWM are updated to prevent parallel modification of theses fields for the tokens assigned to the users.
This is a part of the OTP feature.
IMO, this is a duplicate of #4441.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=919228 (Red Hat Enterprise Linux 7)
https://www.redhat.com/archives/freeipa-devel/2014-August/msg00192.html
The fix for this is now split across two patches:
http://www.redhat.com/archives/freeipa-devel/2014-September/msg00425.html
http://www.redhat.com/archives/freeipa-devel/2014-September/msg00423.html
Patch 0068 pushed:
master:
ipa-4-1:
Metadata Update from @dpal: - Issue assigned to npmccallum - Issue set to the milestone: FreeIPA 4.1
Log in to comment on this ticket.