On Суб, 25 сту 2025, Liam Price via FreeIPA-users wrote:
Hey all, I am having some trouble with LDAP based authentication
following a recent patch to our IPA server.
We are running Centos Stream 9 with the current IPA server version
being 4.12.2-6.el9. yum is trying to upgrade us to 4.12.2-9.el9, so not
a major version upgrade or anything.
We use pfsense as a firewall & VPN server that uses an LDAP bind to
authenticate users against the IPA server. 2FA is then used for
authenticating to systems with a password where KRB is used, but is not
enforced for the VPN level as it uses LDAP, where previously MFA was
not possible.
Following the patch, we noticed users were unable to authenticate
unless 2FA was provided. Reading in to this it seems to be because of
the "EnforceLDAPOTP" setting being enforced, however this is not
present in our configuration:
ipa config-mod --delattr ipaconfigstring=EnforceLDAPOTP
ipa: ERROR: ipaconfigstring does not contain 'EnforceLDAPOTP'
Can you give more details about how these users are configured and how
this VPN server is binding to LDAP exactly?
There has been a bug in the implementation that forcibly applied 2FA
requirements to all LDAP binds, including non-users (services).
For more details about the issue see https://pagure.io/freeipa/issue/9711
We noted the release notes for 4.12.2 changed the behaviour of how LDAP
behaves with OTP, however we are already on 4.12.2, so expected this to
already be enforced. Has anyone else experienced any issues with this
or could provide more detail?
The upstream issue 9711 has been fixed in a combined RHEL 9.5.z security
update last week, https://access.redhat.com/errata/RHSA-2025:0334
I can see that CentOS Stream 9 update ipa-4.12.2-9.el9 has this fix.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
