#6665 ipa-client-install does not support enrollment by users with RADIUS or OTP token
Opened 3 years ago by abbra. Modified 2 years ago

From IRC:

[sudoSamurai] hi all, I'm not sure if someone can help me or if I should file a bug or feature request. I set up an external radius server for two factor token authentication. Everything is working except for ipa-client-install. When it asks for the user to register the host, it won't accept the credentials unless I turn off the radius feature

It seems that a procedure calling for kinit_password in ipaclient.install.client should always use anonymous PKINIT to create a FAST channel and then call kinit_password with the ccache of that to armor the actual password exchange.

In FreeIPA 4.5 we have anonymous PKINIT enabled by default. In case anonymous PKINIT is not available, current behavior can continue (i.e. call kinit_password without armor ccache).

It looks to me that kinit_keytab call can also be enhanced with this approach.

Metadata Update from @abbra:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

2 years ago

Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.7 (was: 0.0 NEEDS_TRIAGE)

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Login to comment on this ticket.