[Freeipa-users] OTP unstable/non functional after upgrade?

[Michael Lasevich]

Ok, something odd happened I would love some feedback/ideas on:

We had 4.1.2 running on Fedora that we used for, among other things, OTP
authentication. I have just upgraded these to CentOS 7 with 4.1.4 running
and our OTP setup suddenly became very unstable.

Things that have changed during upgrade that may be contributing to this:

* OS went from Fedora to CentOS7
* Version of the IPA code went from 4.1.2 to 4.1.4
* Anonymous LDAP access was disabled
* Directory Manager password was changed (to solve unrelated problem)
* An attempt to reduce number of supported ciphers for LDAPs (Port 636)
* Ditto for SSL port for apache.

Symptoms:

* Upon even before upgrade was completed (one server, the one auth was
being attempted against, was still running old code) - it would not
authenticate LDAP connection using password+otp format. Password alone
worked fine.

* After update I tried to login to IPA UI using password+otp - it was not
working. So I logged in without otp and added a new OTP code. After that
suddenly I could use both the old and the new token generators to login....
but not all the time... new one was more consistent, but failed from time
to time too. This is happening to at least one other user - so I think the
issue is not associated with user account.

* At no time sync token UI worked. Always says wrong/invalid token.

I really need this to work - any ideas/suggestions would be appreciated.

-M
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150923/5ddb9481/attachment.htm>