<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/17/2015 04:52 PM, Janelle wrote:<br>
</div>
<blockquote cite="mid:55317279.3010107@gmail.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 4/17/15 1:19 PM, Dmitri Pal wrote:<br>
<blockquote cite="mid:55316ABF.1000606@redhat.com" type="cite">On
04/17/2015 01:20 PM, Janelle wrote: <br>
<blockquote type="cite">On 4/17/15 9:53 AM, Dmitri Pal wrote: <br>
<blockquote type="cite">On 04/17/2015 11:16 AM, Janelle wrote:
<br>
<blockquote type="cite">Hi, <br>
<br>
Is anyone else having issues with OTP since upgrading? For
the life of me I can't get it to accept "Sync" for the
tokens. No matter what is put in, it just keeps saying the
username, password or tokens entered are incorrect. <br>
<br>
To make it simple - I am tryign this on a brand new CentOS
7.1 system with a clean/fresh install of FreeIPA 4.1.4 and
yet it just refuses to work. <br>
<br>
I create a user -- configure them. They work just fine
with a password. Then add a token. Sync with FreeOTP and
that all works. Then going back to the web UI and do Sync
OTP and it simply refuses to accept any values. And yet
the same user can login to the regular web UI with their
password. <br>
<br>
I have tried setting the user to both Password and OTP for
auth methods. And also just OTP and nothing works. <br>
</blockquote>
<br>
Please look in the logs to see what is going on. <br>
You would need to look at the KDC, http and DS logs on the
server to sort out what is going on. <br>
<br>
Do you change the password for the user first after creating
him? <br>
<br>
Can you reproduce the problem with demo instance? <br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.freeipa.org/page/Demo">http://www.freeipa.org/page/Demo</a>
<br>
If you can then we can take a look at the logs right away. <br>
Hints? Am I missing a step? <br>
<br>
~J <br>
<br>
</blockquote>
It appears to be the UI. If I go through the steps and let it
"fail", I can still login using OTP to servers. I made the
assumption that the error itself was not an error.. :-) <br>
<br>
~J <br>
<br>
</blockquote>
I am not sure I get what you are saying. Do you still see the
problem or you misinterpreted the UI and now the problem is
gone? If you did is there any recommendation how to improve the
UI not to confuse people? <br>
<br>
</blockquote>
The problem exists -- this is what it shows:<br>
HOWEVER, it is still WORKING. Meaning, even if you get this error,
if you attempt to login with your FreeOTP token, it WORKS.<br>
<br>
~J<br>
<br>
<img src="cid:part2.04000706.05000002@redhat.com" alt=""
height="263" width="490"><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
Does it give you this error when you use password or password and
token?<br>
Can you please describe the flow of steps in more details?<br>
I start browser, go here, click here, enter this, etc.<br>
<br>
Are you using SSSD to login to servers? Is SSSD configured with IPA
provider or you configured it for LDAP manually. There is a
difference between LDAP and Kerberos authentication.<br>
<br>
May be the following article will help you to understand the
expectations:<br>
<a class="moz-txt-link-freetext" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#enable-otp">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#enable-otp</a><br>
<br>
<br>
<br>
I suspect it is some combination of flags and protocols that is
confusing.<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>