On Пан, 12 лют 2024, G H via FreeIPA-users wrote:
I am using SSSD in LDAP-only mode (no kerberos at all), communicating
with FreeIPA. For certain hosts, I want to require sssd to demand OTP.
Right now, they are allowing password OR password+OTP. But my 'ipa
show-host' output for the hosts in question have "Authentication
Indicators: otp". What do I need to do for sssd to only accept
password+OTP ?
Authentication indicators are Kerberos-only.
The way to enforce OTP use by the LDAP client during bind is by adding a
control OTP_REQUIRED_OID (2.16.840.1.113730.3.8.10.7) during LDAP SASL
bind like how ipa-otpd daemon does:
LDAPControl control = { OTP_REQUIRED_OID, {}, true };
LDAPControl *ctrls[] = { &control, NULL };
...
cred.bv_val = data->data;
cred.bv_len = data->length;
i = ldap_sasl_bind(verto_get_private(ev), item->user.dn, LDAP_SASL_SIMPLE,
&cred, ctrls, NULL, &item->msgid);
I don't think it is possible to do so by SSSD as it is.
I have a proposal https://github.com/freeipa/freeipa/pull/7200 that
enforces OTP over *all* LDAP binds server-side, by effectively assuming
this OID is present always in any client LDAP bind.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
