Hello the list,

I think this is the last thing to make our terrible user management model work.

With a helpdesk role via the REST API we can reset a users password, which is 
expired, because this is the right thing to do.

These users are expected to log into a node with 2FA using an OTP token 
generated by FreeIPA. This works if a user has a valid password and a token. 
This is the only machine they have access to, as it’s they lander node. They 
can not reach the FreeIPA web interface. They can use the FreeIPA API via our 
customer management system (CMS) either as them self or as a helpdek agent on 
their behalf. The CMS auth is SAML via federated shibboleth, so does not use 
our FreeIPA credentials.

However, we have few use cases we need to work:

Can a user generate an OTP token when their password is expired?

Can a a user reset their password when they do not have an OTP token?

Can a user reset their password when they can’t log in to get the secret from 
thier OTP token?

I think the shortest routes would be:

- if a user could reset an expired password via the FreeIPA API, then use the 
otptoken_add method to create one all via our CMS.

- if a user could reset thier password at the ssh login prompt if they have no 
token or don’t have thier token. Then add a token via our CMS.



Get Outlook for iOS<https://aka.ms/o0ukef>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to