On Аўт, 04 лют 2025, Charles Hedrick via FreeIPA-users wrote:
We will have two external radius services, one which uses OTP and one which doesn't. As far as I can tell, IPA uses a radius auth indicator for all radius servers. Is there a way to set up one service to set the OTP indicator or its own unique indicator?
No, there is no such support, sorry. It is currently hardcoded for each of four supported passwordless authentication types: - RADIUS auth: 'radius' auth indicator - internal OTP: 'otp' auth indicator - External IdP: 'idp' auth indicator - FIDO2 Passkey: 'passkey' auth indicator This is all driven by the code in `ipadb_parse_ldap_entry()` (see first four 'const krb5_octet ...[] = "...";' lines in the function. In order to change that, we need to define a way to pull that information from somewhere. However, at the point when this code is called, we only know that a user would be forced to use specific pre-authentication method but not the associated pre-auth method configuration yet. Both 'radius' and 'otp' methods handled by the same pre-authentication method 'otp' in KDC. Theoretically, we could extend Access-Accept response sent from `ipa-otpd` daemon with the correct indicator but this will need a corresponding change in MIT Kerberos pre-authentication methods' KDC side. For 'otp' method that means changes in the `callback()` function in `src/plugins/preauth/otp/otp_state.c`. Right now its has a logic that pulls indicators out of the token description (as we pass them from `ipadb_parse_ldap_entry()`) or they get queried from the KDC configuration per OTP endpoint definition. But the latter will not work as information for all tokens IPA returns to the KDC pre-auth method has pre-assigned indicator 'radius' (for the RADIUS proxy case). -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
