This ticket is similar to #4875 and might be solved by the same implementation however I am opening a different ticket to capture a different scenario.
I want to use IPA in my environment. For the systems inside the environment one factor should be OK but SSO is preferable, however for some critical applications like VPN I want to enforce 2FA. As of 4.1 one can set set policy to allow password or OTP for tokens managed in IPA. Kerberos will enforce 2FA while LDAP will allow either. But I would like to probably do a reverse. Have kerberos with one factor but SSO and make VPN use LDAP (or some other way) that forces 2FA and I probably do not care for the SSO in this case.
Universally it will be solved by auth indicators. But this is years out. Is there any other, simple and fast way I can accomplish this setup until auth indicators arrive?
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Metadata Update from @abbra: - Issue assigned to abbra (was: someone) - Issue close_status updated to: None - Issue set to the milestone: None (was: FreeIPA 4.5 backlog)
Metadata Update from @abbra: - Issue set to the milestone: FreeIPA 4.11
I decided to reuse existing functionality from ipa-otpd feature to enforce LDAP bind with OTP. If EnforceLDAPOTP configuration string is added to IPA configuration, then that is treated as if LDAP client forced OTP control on the LDAP BIND request.
EnforceLDAPOTP
The downside of this change is that users will no longer be able to add their own initial token by logging into Web UI with password only. Admins will have to add their initial OTP token. I think it is a good compromise for the enforcement policy requirement over LDAP.
Metadata Update from @ftrivino: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7200 (was: 0)
master:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-23377 (was: todo)
ipa-4-11:
ipa-4-10:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Additional patch required: master:
Additional patch: ipa-4-11:
Login to comment on this ticket.