diff options
author | Nathaniel McCallum <npmccallum@redhat.com> | 2014-11-11 14:41:42 -0500 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2014-12-05 13:42:19 +0100 |
commit | 9baa93da1cbf56c2a6f7e82e099bc3ff3f19e2e4 (patch) | |
tree | 84108cff4ba380a6842ef3fe3f189b5c3f963135 /daemons/ipa-slapi-plugins/ipa-pwd-extop | |
parent | bea417828d61777015785c716c4225bb48dcf037 (diff) | |
download | freeipa-9baa93da1cbf56c2a6f7e82e099bc3ff3f19e2e4.tar.gz freeipa-9baa93da1cbf56c2a6f7e82e099bc3ff3f19e2e4.tar.xz freeipa-9baa93da1cbf56c2a6f7e82e099bc3ff3f19e2e4.zip |
Make token auth and sync windows configurable
This introduces two new CLI commands:
* otpconfig-show
* otpconfig-mod
https://fedorahosted.org/freeipa/ticket/4511
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Diffstat (limited to 'daemons/ipa-slapi-plugins/ipa-pwd-extop')
-rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 77 | ||||
-rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c | 4 |
2 files changed, 26 insertions, 55 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c index 96c55f39b..84eff1701 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c @@ -68,8 +68,6 @@ #define IPAPWD_OP_ADD 1 #define IPAPWD_OP_MOD 2 -#define OTP_VALIDATE_STEPS 3 - extern Slapi_PluginDesc ipapwd_plugin_desc; extern void *ipapwd_plugin_id; extern const char *ipa_realm_tree; @@ -1113,8 +1111,8 @@ done: } /* - * Authenticates creds against OTP tokens. Returns true when authentication - * completed successfully against a token OR when a user has no active tokens. + * This function handles the bind functionality for OTP. The return value + * indicates if the OTP portion of authentication was successful. * * WARNING: This function DOES NOT authenticate the first factor. Only the OTP * code is validated! You still need to validate the first factor. @@ -1123,53 +1121,6 @@ done: * value at the end. This leaves only the password in creds for later * validation. */ -static bool ipapwd_do_otp_auth(const char *dn, Slapi_Entry *bind_entry, - struct berval *creds) -{ - struct otp_token **tokens = NULL; - bool success = false; - - /* Find all of the user's active tokens. */ - tokens = otp_token_find(otp_config, dn, NULL, true, NULL); - if (tokens == NULL) { - slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME, - "%s: can't find tokens for '%s'.\n", __func__, dn); - return false; - } - - /* If the user has no active tokens, succeed. */ - success = tokens[0] == NULL; - - /* Loop through each token. */ - for (int i = 0; tokens[i] && !success; i++) { - /* Attempt authentication. */ - success = otp_token_validate_berval(tokens[i], OTP_VALIDATE_STEPS, - creds, true); - - /* Truncate the password to remove the OTP code at the end. */ - if (success) { - creds->bv_len -= otp_token_get_digits(tokens[i]); - creds->bv_val[creds->bv_len] = '\0'; - } - - slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME, - "%s: token authentication %s " - "(user: '%s', token: '%s\').\n", __func__, - success ? "succeeded" : "failed", dn, - slapi_sdn_get_ndn(otp_token_get_sdn(tokens[i]))); - } - - otp_token_free_array(tokens); - return success; -} - -/* - * This function handles the bind functionality for OTP. The return value - * indicates if the OTP portion of authentication was successful. - * - * NOTE: This function may modify creds. See explanation in the comment for - * ipapwd_do_otp_auth() above. - */ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry, struct berval *creds) { @@ -1189,10 +1140,32 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry, */ if (auth_types & OTP_CONFIG_AUTH_TYPE_OTP) { + struct otp_token **tokens = NULL; + LOG_PLUGIN_NAME(IPAPWD_PLUGIN_NAME, "Attempting OTP authentication for '%s'.\n", bind_dn); - if (ipapwd_do_otp_auth(bind_dn, entry, creds)) + + /* Find all of the user's active tokens. */ + tokens = otp_token_find(otp_config, bind_dn, NULL, true, NULL); + if (tokens == NULL) { + slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME, + "%s: can't find tokens for '%s'.\n", + __func__, bind_dn); + return false; + } + + /* If the user has no active tokens, succeed. */ + if (tokens[0] == NULL) { + otp_token_free_array(tokens); + return true; + } + + if (otp_token_validate_berval(tokens, creds, NULL)) { + otp_token_free_array(tokens); return true; + } + + otp_token_free_array(tokens); } return auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD; diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c index 0aef43802..3a31529f7 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c @@ -40,8 +40,6 @@ #include "../libotp/otp_token.h" #include "syncreq.h" -#define OTP_SYNC_MAX_STEPS 25 - bool sync_request_present(Slapi_PBlock *pb) { LDAPControl **controls = NULL; @@ -92,7 +90,7 @@ bool sync_request_handle(const struct otp_config *cfg, Slapi_PBlock *pb, if (ber_scanf(ber, "}") != LBER_ERROR) { tokens = otp_token_find(cfg, user_dn, token_dn, true, NULL); if (tokens != NULL) { - success = otp_token_sync_berval(tokens, OTP_SYNC_MAX_STEPS, first, second); + success = otp_token_validate_berval(tokens, first, second); otp_token_free_array(tokens); } } |