#5169 [RFE] Enforce OTP for a subset of scenarios
Closed: fixed 10 months ago by frenaud. Opened 9 years ago by dpal.

This ticket is similar to #4875 and might be solved by the same implementation however I am opening a different ticket to capture a different scenario.

I want to use IPA in my environment. For the systems inside the environment one factor should be OK but SSO is preferable, however for some critical applications like VPN I want to enforce 2FA. As of 4.1 one can set set policy to allow password or OTP for tokens managed in IPA. Kerberos will enforce 2FA while LDAP will allow either. But I would like to probably do a reverse. Have kerberos with one factor but SSO and make VPN use LDAP (or some other way) that forces 2FA and I probably do not care for the SSO in this case.

Universally it will be solved by auth indicators. But this is years out. Is there any other, simple and fast way I can accomplish this setup until auth indicators arrive?


Metadata Update from @dpal:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

Metadata Update from @abbra:
- Issue assigned to abbra (was: someone)
- Issue close_status updated to: None
- Issue set to the milestone: None (was: FreeIPA 4.5 backlog)

a year ago

Metadata Update from @abbra:
- Issue set to the milestone: FreeIPA 4.11

a year ago

I decided to reuse existing functionality from ipa-otpd feature to enforce LDAP bind with OTP. If EnforceLDAPOTP configuration string is added to IPA configuration, then that is treated as if LDAP client forced OTP control on the LDAP BIND request.

The downside of this change is that users will no longer be able to add their own initial token by logging into Web UI with password only. Admins will have to add their initial OTP token. I think it is a good compromise for the enforcement policy requirement over LDAP.

Metadata Update from @ftrivino:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7200 (was: 0)

11 months ago

master:

  • 1d2897e ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
  • 23b224d ipa-pwd-extop: add MFA note in case of a successful LDAP bind with OTP

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-23377 (was: todo)

10 months ago

ipa-4-11:

  • 82eca6c ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
  • a319811 ipa-pwd-extop: add MFA note in case of a successful LDAP bind with OTP

ipa-4-10:

  • 8d12a70 ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
  • 4b9a97d ipa-pwd-extop: add MFA note in case of a successful LDAP bind with OTP

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

10 months ago

Additional patch required:
master:

  • e431ce0 ipa-pwd-extop: declare operation notes support from 389-ds locally

Additional patch:
ipa-4-11:

  • db80428 ipa-pwd-extop: declare operation notes support from 389-ds locally

ipa-4-10:

  • b1a0423 ipa-pwd-extop: declare operation notes support from 389-ds locally

Metadata Update from @abbra:
- Custom field changelog adjusted to When IPA user has an OTP token authentication enabled, it is now possible to enforce LDAP authentication to fail without providing OTP token. This is already the case for Kerberos authentication since 2014; however, some administrators like to enforce it for LDAP-backed applications. The fact that OTP was used for authentication will be recorded in LDAP server logs as MFA note, according to the design described at https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html

8 months ago

master:

  • d2f45c6 ipa-pwd-extop: differentiate OTP requirements in LDAP binds

ipa-4-12:

  • 051d61f ipa-pwd-extop: differentiate OTP requirements in LDAP binds

ipa-4-11:

  • 9ddad3f ipa-pwd-extop: differentiate OTP requirements in LDAP binds

Log in to comment on this ticket.

Metadata