On ma, 10 loka 2022, Salva salva via FreeIPA-users wrote:
Hi,
So we are using freeIPA and it works really well.
We are now in the situation where we would like to use Password+OTP for some
stuff but not for others.
For example, it's totally fine to use password+OTP when doing sudo but when
using Nexus authenitcation against LDAP we would like to not use OTP.
Is this possible?
This question is asked regularly. Please read one of previous threads:
https://lists.fedorahosted.org/archives/list/[email protected]/thread/QALIGFESAAHL7W57VILBB4NM5ER3VLCI/
One correction to my answer in that thread is that while either password
or password+OTP use in LDAP bind works right now, it is not something we
intended to make working in general. LDAP binds are very limiting as
there are not many clients that know and perform multi-stage binds with
possible message exchanges as required for support of more complex
authentication methods in FreeIPA. For example, use of external IdP
authentication is not integrated with LDAP binds directly, so if you'd
switch your users to OAuth authorization, they will not be able to bind
through LDAP directly unless they'd use Kerberos tickets received from
OAuth exchange (FreeIPA 4.9.10 or later).
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
