On 2017-05-17 12:06, Andrey Dudin wrote:
> Hello
> If I do  ipa user-mod test --user-auth-type=password
> --user-auth-type=otp I have user:
> [root@ipa-centos]# ipa user-show test
>   User login: test
>   First name: test
>   Last name: test
>   Home directory: /home/test
>   Login shell: /bin/sh
>   Principal name: t...@mydomain.com <mailto:t...@mydomain.com>
>   Principal alias: t...@mydomain.com <mailto:t...@mydomain.com>
>   Email address: t...@mydomain.com <mailto:t...@mydomain.com>
>   UID: 152200001
>   GID: 152200001
>   User authentication types: otp, password
>   Account disabled: False
>   Password: True
>   Member of groups: trust admins, ipausers, admins
>   Kerberos keys available: True
> I can login into ipa-client.mydomain.com
> <http://ipa-client.mydomain.com> to ssh using password+otp token, but
> for login to IPA Web UI I also need password+otp. I need just password
> for IPA Web UI and password+otp token for ssh on ipa-client.mydomain.com
> <http://ipa-client.mydomain.com>.
It's currently not possible to use password-only login when both 2FA and
password-only are enabled for a user. It's a limitation of the web UI. I
filed a bug report to track the issue, https://pagure.io/freeipa/issue/7068


Christian Heimes
Senior Software Engineer, Identity Management and Platform Security

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander

Attachment: signature.asc
Description: OpenPGP digital signature

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to