freeipa

Clone
Source Code
GIT

#4991 OTP sync and password change at the same time do not work
Closed: Fixed None Opened 9 years ago by dpal.

Closed: Fixed
Reopen Issue

Use case:

- Log into the UI as admin
- Create a user with a password and give him a HOTP token. 
- Make OTP authentication required for him
- Logout
- In the UI instead of logging select token sync
- Fill in user, password and two token codes, click Sync OTP

Expected result: user is prompted to change his password

Actual: authentication fails

I can confirm this. I spent a few hours debugging it, but I did not find the problem yet.

Found issue which prevented the sync from happening on master, patch is on the list. But if the issue happened on any other release/branch than master, then there was probably a different cause which might have been fixed by recent ipaldap refactoring.

In any case what is the expected result?

On master, the sync is successful even if the password is expired therefore the user is not prompted to change the pw. He is prompted when he tries to login, though. After the reset he can login.

Additional testing shows that my patch fixes only the regression but not the original issue.

The sync fails for me if the token is brand new. Subsequent sync call is successful. No idea what's going on (I did not inspect the ds plugin).

Behavior which I saw:

  • after the first call nothing changes in both user entry and token entry, ipatokenHOTPcounter is 0
  • after second(the successful) call user entry has krbLastSuccessfulAuth attr set and token entry has ipatokenHOTPcounter set to 3.
  • third call (success) sets ipatokenHOTPcounter to 5

If I try to login with brand new HOTP token, I see similar issue. First login always fails, ipatokenHOTPcounter stays 0. Second login is correctly presented with password expired error and ipatokenHOTPcounter is changed to 1. If I don't reset the PW and go to token sync instead, the sync call is successful (ipatokenHOTPcounter changes to 3).

test patch
sync.patch

I think the attached patch might work. But I ran out of time to test it today. I'll confirm this tomorrow.

My comments above were intended for bug #4990 but were posted here by mistake.

I'm not seeing any problem with this bug. After fixing #4990, synchronization always works for me.

We discussed this scenario with Nathaniel. We decided that the best would be to open a doc bug that will explain the expected behavior which is: if you have an expired password you still can sync your token using old password and you will be not prompted to do the password change during sync. But when the sync is done and you try to login the system will detect that your password expired and will prompt you for the change. Once the doc bug is opened we can close this ticket.

Metadata Update from @dpal:
- Issue assigned to npmccallum
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
OTP
None
1
None
None
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.