Use case:
- Log into the UI as admin - Create a user with a password and give him a HOTP token. - Make OTP authentication required for him - Logout - In the UI instead of logging select token sync - Fill in user, password and two token codes, click Sync OTP
Expected result: user is prompted to change his password
Actual: authentication fails
I can confirm this. I spent a few hours debugging it, but I did not find the problem yet.
Found issue which prevented the sync from happening on master, patch is on the list. But if the issue happened on any other release/branch than master, then there was probably a different cause which might have been fixed by recent ipaldap refactoring.
In any case what is the expected result?
On master, the sync is successful even if the password is expired therefore the user is not prompted to change the pw. He is prompted when he tries to login, though. After the reset he can login.
Additional testing shows that my patch fixes only the regression but not the original issue.
The sync fails for me if the token is brand new. Subsequent sync call is successful. No idea what's going on (I did not inspect the ds plugin).
Behavior which I saw:
If I try to login with brand new HOTP token, I see similar issue. First login always fails, ipatokenHOTPcounter stays 0. Second login is correctly presented with password expired error and ipatokenHOTPcounter is changed to 1. If I don't reset the PW and go to token sync instead, the sync call is successful (ipatokenHOTPcounter changes to 3).
test patch sync.patch
I think the attached patch might work. But I ran out of time to test it today. I'll confirm this tomorrow.
My comments above were intended for bug #4990 but were posted here by mistake.
I'm not seeing any problem with this bug. After fixing #4990, synchronization always works for me.
We discussed this scenario with Nathaniel. We decided that the best would be to open a doc bug that will explain the expected behavior which is: if you have an expired password you still can sync your token using old password and you will be not prompted to do the password change during sync. But when the sync is done and you try to login the system will detect that your password expired and will prompt you for the change. Once the doc bug is opened we can close this ticket.
https://bugzilla.redhat.com/show_bug.cgi?id=1225027
Metadata Update from @dpal: - Issue assigned to npmccallum - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Log in to comment on this ticket.