[Freeipa-users] OTP and time step size
Prashant Bapat
prashant at apigee.com
Fri Apr 22 06:55:32 UTC 2016
Hi,
We have been using the OTP feature of FreeIPA extensively for users to
login to the web UI. Now we are rolling out an external service using the
LDAP authentication based on FreeIPA and OTP.
End users typically login rarely to the web UI. Only to update their SSH
keys once in 90 days.
However to the new service based on FreeIPA's LDAP they would be logging in
multiple times daily.
Here is an observation: FreeIPA's OTP mechanism is very stringent in
requiring the current token to be inside the 30 second window. Because of
this there might be a sizable percentage of users who will have to retry
login. Obviously, this is a bad user experience.
As per the RFC-6238 <http://www.rfc-base.org/txt/rfc-6238.txt> section 5.2,
we could allow 1 time step and make the user experience better.
Can this be done by changing a config or does it involve a
patch/code-change. Any pointers to this appreciated.
Thanks.
--Prashant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160422/0337708f/attachment.htm>
More information about the Freeipa-users
mailing list