[Freeipa-users] 2FA and AllowNTHash
Maciej Drobniuch
md at collective-sense.com
Tue Jan 3 15:28:50 UTC 2017
Hi All,
We have a topo with 3x IPA servers + freeradius.
Freeradius is being used to do mschap with wifi APs. Freeradius connects
over ldap to IPA.
In order to do the challange-response thing, freeipa has AllowNTHash
enabled.
So I wanted to enable 2FA/OTP but leave the NTHash as is for wifi auth.
In the moment I disallow Password auth for a user and enable OTP the wifi
auth stopps working, but the hash clearly stays in ldap.
The goal is to stay with password on freeradius but for everything else:
kerberos/sssd related use password+code.
How can I disable password login for user but still make freeradius work
with ldap, so when it asks for users hash it gets one.
Freeradius ldap mod snippet:
"base_dn = "cn=users,cn=accounts,dc=cs,dc=com""
Thank You
--
Best regards
Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170103/549bfc47/attachment.htm>
More information about the Freeipa-users
mailing list