168a6c7 Ensure that ipa-otpd bind auths validate an OTP

3 files Authored by npmccallum 7 years ago, Committed by mbasti 7 years ago,
    Ensure that ipa-otpd bind auths validate an OTP
    
    Before this patch, if the user was configured for either OTP or password
    it was possible to do a 1FA authentication through ipa-otpd. Because this
    correctly respected the configuration, it is not a security error.
    
    However, once we begin to insert authentication indicators into the
    Kerberos tickets, we cannot allow 1FA authentications through this
    code path. Otherwise the ticket would contain a 2FA indicator when
    only 1FA was actually performed.
    
    To solve this problem, we have ipa-otpd send a critical control during
    the bind operation which informs the LDAP server that it *MUST* validate
    an OTP token for authentication to be successful. Next, we implement
    support for this control in the ipa-pwd-extop plugin. The end result is
    that the bind operation will always fail if the control is present and
    no OTP is validated.
    
    https://fedorahosted.org/freeipa/ticket/433
    
    Reviewed-By: Sumit Bose <sbose@redhat.com>
    
        
file modified
+4 -1