[Freeipa-users] 4.1.4 and OTP

Dmitri Pal dpal at redhat.com
Fri Apr 17 23:36:40 UTC 2015 

On 04/17/2015 04:52 PM, Janelle wrote:
> On 4/17/15 1:19 PM, Dmitri Pal wrote:
>> On 04/17/2015 01:20 PM, Janelle wrote:
>>> On 4/17/15 9:53 AM, Dmitri Pal wrote:
>>>> On 04/17/2015 11:16 AM, Janelle wrote:
>>>>> Hi,
>>>>>
>>>>> Is anyone else having issues with OTP since upgrading? For the 
>>>>> life of me I can't get it to accept "Sync" for the tokens. No 
>>>>> matter what is put in, it just keeps saying the username, password 
>>>>> or tokens entered  are incorrect.
>>>>>
>>>>> To make it simple - I am tryign this on a brand new CentOS 7.1 
>>>>> system with a clean/fresh install of FreeIPA 4.1.4 and yet it just 
>>>>> refuses to work.
>>>>>
>>>>> I create a user -- configure them. They work just fine with a 
>>>>> password. Then add a token. Sync with FreeOTP and that all works. 
>>>>> Then going back to the web UI and do Sync OTP and it simply 
>>>>> refuses to accept any values. And yet the same user can login to 
>>>>> the regular web UI with their password.
>>>>>
>>>>> I have tried setting the user to both Password and OTP for auth 
>>>>> methods. And also just OTP and nothing works.
>>>>
>>>> Please look in the logs to see what is going on.
>>>> You would need to look at the KDC, http and DS logs on the server 
>>>> to sort out what is going on.
>>>>
>>>> Do you change the password for the user first after creating him?
>>>>
>>>> Can you reproduce the problem with demo instance?
>>>> http://www.freeipa.org/page/Demo
>>>> If you can then we can take a look at the logs right away.
>>>> Hints? Am I missing  a step?
>>>>
>>>> ~J
>>>>
>>> It appears to be the UI. If I go through the steps and let it 
>>> "fail", I can still login using OTP to servers. I made the 
>>> assumption that the error itself was not an error.. :-)
>>>
>>> ~J
>>>
>> I am not sure I get what you are saying. Do you still see the problem 
>> or you misinterpreted the UI and now the problem is gone? If you did 
>> is there any recommendation how to improve the UI not to confuse people?
>>
> The problem exists -- this is what it shows:
> HOWEVER, it is still WORKING. Meaning, even if you get this error, if 
> you attempt to login with your FreeOTP token, it WORKS.
>
> ~J
>
>
>
>

Does it give you this error when you use password or password and token?
Can you please describe the flow of steps in more details?
I start browser, go here, click here, enter this, etc.

Are you using SSSD to login to servers? Is SSSD configured with IPA 
provider or you configured it for LDAP manually. There is a difference 
between LDAP and Kerberos authentication.

May be the following article will help you to understand the expectations:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#enable-otp



I suspect it is some combination of flags and protocols that is confusing.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150417/134e805b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 33523 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150417/134e805b/attachment.png>

More information about the Freeipa-users mailing list