freeipa

Clone
Source Code
GIT

#5169 [RFE] Enforce OTP for a subset of scenarios
Closed: fixed 2 months ago by frenaud. Opened 8 years ago by dpal.

Closed: fixed
Reopen Issue

This ticket is similar to #4875 and might be solved by the same implementation however I am opening a different ticket to capture a different scenario.

I want to use IPA in my environment. For the systems inside the environment one factor should be OK but SSO is preferable, however for some critical applications like VPN I want to enforce 2FA. As of 4.1 one can set set policy to allow password or OTP for tokens managed in IPA. Kerberos will enforce 2FA while LDAP will allow either. But I would like to probably do a reverse. Have kerberos with one factor but SSO and make VPN use LDAP (or some other way) that forces 2FA and I probably do not care for the SSO in this case.

Universally it will be solved by auth indicators. But this is years out. Is there any other, simple and fast way I can accomplish this setup until auth indicators arrive?

Metadata Update from @dpal:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog
7 years ago

Metadata Update from @abbra:
- Issue assigned to abbra (was: someone)
- Issue close_status updated to: None
- Issue set to the milestone: None (was: FreeIPA 4.5 backlog)
4 months ago

Metadata Update from @abbra:
- Issue set to the milestone: FreeIPA 4.11
4 months ago

I decided to reuse existing functionality from ipa-otpd feature to enforce LDAP bind with OTP. If EnforceLDAPOTP configuration string is added to IPA configuration, then that is treated as if LDAP client forced OTP control on the LDAP BIND request.

The downside of this change is that users will no longer be able to add their own initial token by logging into Web UI with password only. Admins will have to add their initial OTP token. I think it is a good compromise for the enforcement policy requirement over LDAP.

Metadata Update from @ftrivino:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7200 (was: 0)
3 months ago

master:

  • 1d2897e ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
  • 23b224d ipa-pwd-extop: add MFA note in case of a successful LDAP bind with OTP

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-23377 (was: todo)
2 months ago

ipa-4-11:

  • 82eca6c ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
  • a319811 ipa-pwd-extop: add MFA note in case of a successful LDAP bind with OTP

ipa-4-10:

  • 8d12a70 ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
  • 4b9a97d ipa-pwd-extop: add MFA note in case of a successful LDAP bind with OTP

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
2 months ago

Additional patch required:
master:

  • e431ce0 ipa-pwd-extop: declare operation notes support from 389-ds locally

Additional patch:
ipa-4-11:

  • db80428 ipa-pwd-extop: declare operation notes support from 389-ds locally

ipa-4-10:

  • b1a0423 ipa-pwd-extop: declare operation notes support from 389-ds locally

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
enhancement
None
None
IPA
None
https://github.com/freeipa/freeipa/pull/7200
None
None
None
None
https://issues.redhat.com/browse/RHEL-23377
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.