This ticket is similar to #4875 and might be solved by the same implementation however I am opening a different ticket to capture a different scenario.
I want to use IPA in my environment. For the systems inside the environment one factor should be OK but SSO is preferable, however for some critical applications like VPN I want to enforce 2FA. As of 4.1 one can set set policy to allow password or OTP for tokens managed in IPA. Kerberos will enforce 2FA while LDAP will allow either. But I would like to probably do a reverse. Have kerberos with one factor but SSO and make VPN use LDAP (or some other way) that forces 2FA and I probably do not care for the SSO in this case.
Universally it will be solved by auth indicators. But this is years out. Is there any other, simple and fast way I can accomplish this setup until auth indicators arrive?
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Metadata Update from @abbra: - Issue assigned to abbra (was: someone) - Issue close_status updated to: None - Issue set to the milestone: None (was: FreeIPA 4.5 backlog)
Metadata Update from @abbra: - Issue set to the milestone: FreeIPA 4.11
I decided to reuse existing functionality from ipa-otpd feature to enforce LDAP bind with OTP. If EnforceLDAPOTP configuration string is added to IPA configuration, then that is treated as if LDAP client forced OTP control on the LDAP BIND request.
EnforceLDAPOTP
The downside of this change is that users will no longer be able to add their own initial token by logging into Web UI with password only. Admins will have to add their initial OTP token. I think it is a good compromise for the enforcement policy requirement over LDAP.
Metadata Update from @ftrivino: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7200 (was: 0)
master:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-23377 (was: todo)
ipa-4-11:
ipa-4-10:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Additional patch required: master:
Additional patch: ipa-4-11:
Metadata Update from @abbra: - Custom field changelog adjusted to When IPA user has an OTP token authentication enabled, it is now possible to enforce LDAP authentication to fail without providing OTP token. This is already the case for Kerberos authentication since 2014; however, some administrators like to enforce it for LDAP-backed applications. The fact that OTP was used for authentication will be recorded in LDAP server logs as MFA note, according to the design described at https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-23377, https://issues.redhat.com/browse/RHEL-40661 (was: https://issues.redhat.com/browse/RHEL-23377)
ipa-4-12:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-23377, https://issues.redhat.com/browse/RHEL-40661, https://issues.redhat.com/browse/RHEL-49433 (was: https://issues.redhat.com/browse/RHEL-23377, https://issues.redhat.com/browse/RHEL-40661)
Log in to comment on this ticket.