#6376 User administrator role should have access to remove user's OTP tokens.
Closed: Invalid None Opened 7 years ago by pmbapat.

We are running IPA with OTP as the only option if the user has an OTP defined.

At times, the users who lose their OTP or forget where they configured it. It would be intuitive that the user administrator should have access to remove the old OTP to give users an opportunity to login with only password and setup a new OTP.

At present there is no option to do this. And a user with IPA admin role can only remove OTPs.


You can setup Role+Privilege+Permission to do that.

But be caution what admins receive the role. E.g. if they should be lower-level admins which should not have rights to reset credentials for higher-level admin then a general permission might break this expectation.

More info: http://www.freeipa.org/page/V4/OTP#Helpdesk

Possible workaround

  • admin can enable password auth for the user
  • user can then create new otp token
  • user can remove old token
  • admin can disable password auth

Per triage on Oct 10, this ticket won't be implemented but rather it should be documented how to resolve the situation. For that a BZ https://bugzilla.redhat.com/show_bug.cgi?id=1384964 was opened.

I wonder whether the ticket reporter is OK with this workaround.

Yes. This is a reasonable workaround. It is acceptable.

Thanks for looking into this.

Metadata Update from @pmbapat:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Login to comment on this ticket.

Metadata