[Freeipa-users] Why OTP not working
Jochen Hein
jochen at jochen.org
Tue May 16 20:44:04 UTC 2017
Andrey Dudin <dudin.andrey at gmail.com> writes:
> I trying to use OTP auth in Freeipa but have some problems.
OTP (with RADIUS) works for me.
> I have user *test:*
>
> [root at ipa-centos]# ipa user-show test
...
Did you enable --user-auth-type=otp with "ipa config-mod"? I have:
[root at freeipa1 log]# ipa config-show --raw
...
ipauserauthtype: otp
ipauserauthtype: password
ipauserauthtype: radius
Look at the mouse-over-docs in Webui -> IPA-Server -> Configuration ->
User Authentication Types for more info.
Otherwise, you need to enable --user-auth-type=otp for your user. I
have for RADIUS both password and radius for my OTP user:
[root at freeipa1 log]# ipa user-show jochen --raw
...
ipauserauthtype: password
ipauserauthtype: radius
If you need both password and otp, use both --user-auth-type=password
and --user-auth-type=otp for "ipa user-mod" or "ipa config-mod".
When I do a "su - jochen", I get asked for "First Factor" and "Second
Factor", since sssd knows I use RADIUS for OTP. That might be easier to
first test that you can authenticate with OTP.
> Server with FreeIpa:
>
> [root at ipa-centos]# ipa host-show ipa-centos.mydomain.com
...
> Authentication Indicators: otp
Is there a simple way to check on the command line, whether or not an
authentication indicator was set when authenticating? I can't remember
anything from reading the docs - I expected some option for klist.
Jochen
--
This space is intentionally left blank.
More information about the Freeipa-users
mailing list