Currently, ipa-kdb enforces the use of tokens if "otp" is in ipaUserAuthType. However, this locks users out before they enroll in tokens. Instead, ipa-kdb should query both for ipaUserAuthType and the number of active tokens.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1061190
https://www.redhat.com/archives/freeipa-devel/2014-February/msg00055.html
master:
Metadata Update from @npmccallum: - Issue assigned to npmccallum - Issue set to the milestone: FreeIPA 4.0 - 2014/02
Log in to comment on this ticket.