On Thu, 2013-10-10 at 12:44 -0400, Dmitri Pal wrote:
> On 10/10/2013 10:51 AM, Nathaniel McCallum wrote:
> > On Thu, 2013-10-10 at 10:04 +0200, Jan Cholasta wrote:
> >> On 12.9.2013 22:47, Nathaniel McCallum wrote:
> >>> On Thu, 2013-09-05 at 00:04 -0400, Nathaniel McCallum wrote:
> >>>> patch attached
> >>> Update for ./makeapi attached.
> >> Is ipaUserAuthType relevant only to Kerberos or to user authentication
> >> in general? For example, if "password" is removed from ipaUserAuthType
> >> of an user, will I be able to authenticate as that user with LDAP simple
> >> authentication?
> > If only "otp" is set, yes via password+otp.
> > If only "radius" is set, this behavior is currently undefined. We should
> > probably define it.
> If RADIUS is used you always rely on the external system to provide
> authentication for this user.
> Is this the definition you are looking for?
For Kerberos, yes. For LDAP, no. For LDAP, if "radius" is present,
single factor authentication should probably be permitted.
Freeipa-devel mailing list