Bug 1615964
Summary: | Authn/TOTP defined users periodically prompt for just password credentials to access resources [rhel-7.5.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | urgent | Docs Contact: | Filip Hanzelka <fhanzelk> |
Priority: | urgent | ||
Version: | 7.4 | CC: | abokovoy, baiesi, ekeck, fhanzelk, frenaud, grajaiya, ipa-maint, jhrozek, lslebodn, milei, mkosek, mreznik, mzidek, ndehadra, npmccallum, pasik, pbrezina, pvoborni, rcritten, rharwood, sbose, spoore, tscherf, xdong |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.5.4-10.el7_5.4 | Doc Type: | Bug Fix |
Doc Text: |
2FA users are now prompted for both factors when authenticating to Identity Management
Previously, when Identity Management servers were overloaded, users that were supposed to authenticate with Two-factor authentication (2FA) consisting of a password and a One-Time Password (OTP) were sometimes only prompted for their password. The bug was caused by the *ipa-otpd* process crashing with memory violation. With this update, the code handling the queue of elements in *ipa-otpd* has been fixed. As a result, users configured for 2FA are now consistenly prompted for two factors when they authenticate.
|
Story Points: | --- |
Clone Of: | 1508498 | Environment: | |
Last Closed: | 2018-09-25 19:07:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1508498 | ||
Bug Blocks: |
Description
Oneata Mircea Teodor
2018-08-14 15:38:08 UTC
Verified. Version :: ipa-server-4.5.4-10.el7_5.4.4.x86_64 Results :: STR job run on simple IPA Master-Replica-Client environment. Run ID R-4848 Profile Name idm-754-otp-pos1 Run Name idm_bug_check_totp_9_lce-1 Tester spoore State Complete Complete Group idm Start Date 2018-09-11 18:12:05 Stop Date 2018-09-12 06:12:05 Test Duration Days:0, Hrs:12, Mins:0, Secs:0 Lab Controller Engine LCE-1-10.8.48.121:8084 I did not see any crash reports related to ipa-otpd during this run. We were seeing crashes very frequently when we ran this test. [root@qe-blade-10 ~]# abrt-cli list The Autoreporting feature is disabled. Please consider enabling it by issuing 'abrt-auto-reporting enabled' as a user with root privileges [root@qe-blade-13 ~]# abrt-cli list id 3a5892b861886f0c0b22f3d822c9316f945acb44 reason: memmove(): xfs_logprint killed by SIGSEGV time: Tue 11 Sep 2018 05:30:18 PM EDT cmdline: xfs_logprint -c /dev/mapper/rhel_qe--blade--13-root package: xfsprogs-4.5.0-15.el7 uid: 0 (root) count: 1 Directory: /var/spool/abrt/ccpp-2018-09-11-17:30:18-16754 Reported: ... https://bugzilla.redhat.com/show_bug.cgi?id=1513365 spoore, Run 'abrt-cli report /var/spool/abrt/ccpp-2018-09-11-17:30:18-16754' for creating a case in Red Hat Customer Portal ^^^ unrelated to this bug ^^^ The Autoreporting feature is disabled. Please consider enabling it by issuing 'abrt-auto-reporting enabled' as a user with root privileges Also, I adjusted the tests slightly to no longer throw failures when prompted for ldap password if the password was rejected. As long as the prompt does not then allow login, I left it marked passed to simplify troubleshooting for this bug. All cases of this that I investigated when this occurred were due to locked accounts which could be the result of the negative tests running too frequently. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2760 |