mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-27 09:21:59 -06:00
8b6506a5f1
The 389-ds plugin for OTP last token is performing data initialization in its ipa_otp_lasttoken_init method, which is wrong according to the Plug-in Guide: > For example, the init function should not attempt to perform an > internal search or other internal operation, because the all of > the subsystems are not up and running during the init phase. This init method fills a structure containing the configuration of allowed authentication types. As the method is called too early, the method does not find any suffix and leaves the structure empty. Subsequent calls find an empty structure and take the default values (for authentication methods, the default is 1 = password). Because of that, the code consider that the global configuration defines password authentication method, and in this case it is allowed to delete a user's last otp token. The fix implements a SLAPI_PLUGIN_START_FN method that will be called when 389-ds is ready to initialize the plugin data, ensuring that the structure is properly initialized. Fixes: https://pagure.io/freeipa/issue/7012 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com> |
||
|---|---|---|
| .. | ||
| ipa_otp_lasttoken.c | ||
| ipa-otp-lasttoken.sym | ||
| Makefile.am | ||