ugh. It doesn't look like we can do this until this patch happens. The actual authentication would use DUO. Since that requires the user to respond, the delay could be significant. 10 sec is definitely not enough.
This looks like a client patch. We're using Ubuntu for our clients. (RHEL for the KDCs.) We have purchased support, but the PO is waiting in Purchasing. So I may be able to help get it into Ubuntu. ________________________________ From: Alexander Bokovoy <[email protected]> Sent: Monday, February 12, 2024 2:45 PM To: FreeIPA users list <[email protected]> Cc: Charles Hedrick <[email protected]> Subject: Re: [Freeipa-users] reliability of external radius On Пан, 12 лют 2024, Charles Hedrick via FreeIPA-users wrote: >Currently our department uses passwords in IPA, with a few users using >OTP. I'm considering using a University radius server for most users. >Are there reliability implications? My concern is what happens if the >radius server is slow to respond or even is down. I'd like users with >accounts in IPA to still work, and I'd hope things would survive >conditions of slow response. There is one potential issue that we fixed recently in MIT Kerberos: https://github.com/krb5/krb5/pull/1318 It is not yet part of any release. If you have RHEL subscription, making it known to RHEL support organization might help to get this fix out faster. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
