Hello the list, I think this is the last thing to make our terrible user management model work.
With a helpdesk role via the REST API we can reset a users password, which is expired, because this is the right thing to do. These users are expected to log into a node with 2FA using an OTP token generated by FreeIPA. This works if a user has a valid password and a token. This is the only machine they have access to, as it’s they lander node. They can not reach the FreeIPA web interface. They can use the FreeIPA API via our customer management system (CMS) either as them self or as a helpdek agent on their behalf. The CMS auth is SAML via federated shibboleth, so does not use our FreeIPA credentials. However, we have few use cases we need to work: Can a user generate an OTP token when their password is expired? Can a a user reset their password when they do not have an OTP token? Can a user reset their password when they can’t log in to get the secret from thier OTP token? I think the shortest routes would be: - if a user could reset an expired password via the FreeIPA API, then use the otptoken_add method to create one all via our CMS. - if a user could reset thier password at the ssh login prompt if they have no token or don’t have thier token. Then add a token via our CMS. Regards, Aaron Get Outlook for iOS<https://aka.ms/o0ukef>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
