Hi All,

Since updating to CentOS 7.4/FreeIPA 4.5 (from 7.3/4.4) I have seen the
following fault.

IPA user accounts using password+OTP will authenticate *without OTP (only)*
when using an interim LDAP BIND configuration.

To clarify, I am specifically talking about Cisco ASA device, using a
password only LDAP sysaccount bind user, using the binding to authenticate
user VPN logins which all user password+OTP. Logins are only authenticated
when no OTP is present.

All other authentications (SSSD/UI) for the same user work normally and
enforce the use of the appended OTP code.

Does anyone have any ideas for debugging this situation?


Callum Guy
Head of Information Security


*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to