On Суб, 25 сту 2025, Liam Price via FreeIPA-users wrote:
Hi Alexander, thank you for replying.
The VPN server binds to LDAP using a service account of sorts, named
svc_pfsense:
uid=svc_pfsense,cn=users,cn=accounts,dc=domain,dc=com
Ok, this is not a service account, from the IPA point of view. It is a
normal user and is treated correspondingly. All users in IPA have
Kerberos credentials and properties associated with them.
Accounts used for services to access LDAP typically done for
applications that do not support Kerberos and thus differentiated by not
having LDAP attributes required for Kerberos. For example, system
service accounts.
System service accounts are the accounts which have simpleSecurityObject
objectclass and no Kerberos-related objectclasses. See, for example,
https://www.freeipa.org/page/HowTo/LDAP#system-accounts
This svc_pfsense account has Authentication Type as "Password" within IPA.
I did also see the issue (9711) you are referring to, however the bind
still works after the update, likely as OTP isn't ticked for the
service account.
After 9711 was fixed, the difference on LDAP binds will only appear if
EnforceLDAPOTP option is set. From the corresponding commit message:
----------------------------------------------------------------------
OTP use during LDAP bind can be enforced either explicitly via client
specifying a control with OID 2.16.840.1.113730.3.8.10.7 and no payload
or implicitly through the global IPA configuration with EnforceLDAPOTP.
OTP token enforcement overrides IPA user authentication types
requirements:
If OTP enforcement is required:
- if user authentication types still allow password authentication,
authentication with just a password is denied, regardless whether OTP
tokens are associated with the user or not.
If OTP enforcement is not required:
- if user has no OTP tokens but user authentication types require OTP
use, authentication with just a password is allowed until a token is
added.
- if user has OTP tokens and user authentication types require OTP use
but not password, authentication with just a password is denied.
Additionally, enforcement of OTP only applies to LDAP objects which
don't use 'simpleSecurityObject' objectclass. This allows system service
accounts to continue authenticate with a password regardless of the
OTP enforcement.
----------------------------------------------------------------------
This is enforced for all LDAP DNs which do have Kerberos-related
objectclass 'krbprinciaplaux' in them. E.g. all users and Kerberos
services created by IPA.
Users on the other hand are all "Two factor authentication (password +
OTP)", however on 4.12.2-6.el9 CAN currently login to the VPN with and
without MFA. Upon updating to ipa-4.12.2-9.el9 we have to add the OTP
token for all logins for it to work, including the VPN which we
previously did not.
If you'd have both 'password' and 'otp' in user's authentication types,
then switching to EnforceLDAPOTP will force these users to use OTP when
binding to LDAP. In this mode you'd also need to switch your VPN's
system service account to a simpleSecurityObject so that its own bind to
LDAP is not confused with a user (and denied).
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
