Hey all, I am having some trouble with LDAP based authentication following a recent patch to our IPA server.
We are running Centos Stream 9 with the current IPA server version being 4.12.2-6.el9. yum is trying to upgrade us to 4.12.2-9.el9, so not a major version upgrade or anything. We use pfsense as a firewall & VPN server that uses an LDAP bind to authenticate users against the IPA server. 2FA is then used for authenticating to systems with a password where KRB is used, but is not enforced for the VPN level as it uses LDAP, where previously MFA was not possible. Following the patch, we noticed users were unable to authenticate unless 2FA was provided. Reading in to this it seems to be because of the "EnforceLDAPOTP" setting being enforced, however this is not present in our configuration: ipa config-mod --delattr ipaconfigstring=EnforceLDAPOTP ipa: ERROR: ipaconfigstring does not contain 'EnforceLDAPOTP' We noted the release notes for 4.12.2 changed the behaviour of how LDAP behaves with OTP, however we are already on 4.12.2, so expected this to already be enforced. Has anyone else experienced any issues with this or could provide more detail? -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
