mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Revert "Don't allow OTP or RADIUS in FIPS mode"
This reverts commit 16a952a0a4.
OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping
traffic in a VPN.
https://pagure.io/freeipa/issue/7168
https://pagure.io/freeipa/issue/7243
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Nathaniel McCallum
Rob Crittenden
parent
a01a24ce5a
commit
d498d7272d
@ -31,7 +31,6 @@ from .baseldap import (
|
|||||||
LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption,
|
LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption,
|
||||||
add_missing_object_class)
|
add_missing_object_class)
|
||||||
from ipaserver.plugins.service import (validate_realm, normalize_principal)
|
from ipaserver.plugins.service import (validate_realm, normalize_principal)
|
||||||
from ipaserver.plugins.config import check_fips_auth_opts
|
|
||||||
from ipalib.request import context
|
from ipalib.request import context
|
||||||
from ipalib import _
|
from ipalib import _
|
||||||
from ipalib.constants import PATTERN_GROUPUSER_NAME
|
from ipalib.constants import PATTERN_GROUPUSER_NAME
|
||||||
@ -481,7 +480,6 @@ class baseuser_add(LDAPCreate):
|
|||||||
**options):
|
**options):
|
||||||
assert isinstance(dn, DN)
|
assert isinstance(dn, DN)
|
||||||
set_krbcanonicalname(entry_attrs)
|
set_krbcanonicalname(entry_attrs)
|
||||||
check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
|
|
||||||
self.obj.convert_usercertificate_pre(entry_attrs)
|
self.obj.convert_usercertificate_pre(entry_attrs)
|
||||||
|
|
||||||
def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
||||||
@ -605,7 +603,6 @@ class baseuser_mod(LDAPUpdate):
|
|||||||
assert isinstance(dn, DN)
|
assert isinstance(dn, DN)
|
||||||
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
|
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
|
||||||
|
|
||||||
check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
|
|
||||||
self.check_namelength(ldap, **options)
|
self.check_namelength(ldap, **options)
|
||||||
|
|
||||||
self.check_mail(entry_attrs)
|
self.check_mail(entry_attrs)
|
||||||
|
|||||||
@ -85,20 +85,6 @@ EXAMPLES:
|
|||||||
|
|
||||||
register = Registry()
|
register = Registry()
|
||||||
|
|
||||||
|
|
||||||
def check_fips_auth_opts(fips_mode, **options):
|
|
||||||
"""
|
|
||||||
OTP and RADIUS are not allowed in FIPS mode since they use MD5
|
|
||||||
checksums (OTP uses our RADIUS responder daemon ipa-otpd).
|
|
||||||
"""
|
|
||||||
if 'ipauserauthtype' in options and fips_mode:
|
|
||||||
if ('otp' in options['ipauserauthtype'] or
|
|
||||||
'radius' in options['ipauserauthtype']):
|
|
||||||
raise errors.InvocationError(
|
|
||||||
'OTP and RADIUS authentication in FIPS is '
|
|
||||||
'not yet supported')
|
|
||||||
|
|
||||||
|
|
||||||
@register()
|
@register()
|
||||||
class config(LDAPObject):
|
class config(LDAPObject):
|
||||||
"""
|
"""
|
||||||
@ -412,8 +398,6 @@ class config_mod(LDAPUpdate):
|
|||||||
|
|
||||||
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
||||||
assert isinstance(dn, DN)
|
assert isinstance(dn, DN)
|
||||||
check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
|
|
||||||
|
|
||||||
if 'ipadefaultprimarygroup' in entry_attrs:
|
if 'ipadefaultprimarygroup' in entry_attrs:
|
||||||
group=entry_attrs['ipadefaultprimarygroup']
|
group=entry_attrs['ipadefaultprimarygroup']
|
||||||
try:
|
try:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user