Hello the list,
I think this is the last thing to make our terrible user management model work.
With a helpdesk role via the REST API we can reset a users password, which is
expired, because this is the right thing to do.
These users are expected to log into a node with 2FA using an OTP token
generated by FreeIPA. This works if a user has a valid password and a token.
This is the only machine they have access to, as it’s they lander node. They
can not reach the FreeIPA web interface. They can use the FreeIPA API via our
customer management system (CMS) either as them self or as a helpdek agent on
their behalf. The CMS auth is SAML via federated shibboleth, so does not use
our FreeIPA credentials.
However, we have few use cases we need to work:
Can a user generate an OTP token when their password is expired?
Can a a user reset their password when they do not have an OTP token?
Can a user reset their password when they can’t log in to get the secret from
thier OTP token?
I think the shortest routes would be:
- if a user could reset an expired password via the FreeIPA API, then use the
otptoken_add method to create one all via our CMS.
- if a user could reset thier password at the ssh login prompt if they have no
token or don’t have thier token. Then add a token via our CMS.
Get Outlook for iOS<https://aka.ms/o0ukef>
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org