[Freeipa-users] Why OTP not working

[Jochen Hein]

Andrey Dudin <dudin.andrey at gmail.com> writes:

> I trying to use OTP auth in Freeipa but have some problems.

OTP (with RADIUS) works for me.

> I have user *test:*
>
> [root at ipa-centos]# ipa user-show test
...

Did you enable --user-auth-type=otp with "ipa config-mod"?  I have:

[root at freeipa1 log]# ipa config-show --raw
...
  ipauserauthtype: otp
  ipauserauthtype: password
  ipauserauthtype: radius

Look at the mouse-over-docs in Webui -> IPA-Server -> Configuration ->
User Authentication Types for more info.

Otherwise, you need to enable --user-auth-type=otp for your user.  I
have for RADIUS both password and radius for my OTP user:

[root at freeipa1 log]# ipa user-show jochen --raw
...
  ipauserauthtype: password
  ipauserauthtype: radius

If you need both password and otp, use both --user-auth-type=password
and --user-auth-type=otp for "ipa user-mod" or "ipa config-mod".

When I do a "su - jochen", I get asked for "First Factor" and "Second
Factor", since sssd knows I use RADIUS for OTP.  That might be easier to
first test that you can authenticate with OTP.

> Server with FreeIpa:
>
> [root at ipa-centos]# ipa host-show ipa-centos.mydomain.com
...
>   Authentication Indicators: otp

Is there a simple way to check on the command line, whether or not an
authentication indicator was set when authenticating?  I can't remember
anything from reading the docs - I expected some option for klist.

Jochen

-- 
This space is intentionally left blank.