On 04/17/2015 11:21 PM, Janelle wrote:
On 4/17/15 5:59 PM, Dmitri Pal wrote:
On 04/17/2015 08:07 PM, Janelle wrote:
On Apr 17, 2015, at 16:36, Dmitri Pal <d...@redhat.com
On 04/17/2015 04:52 PM, Janelle wrote:
On 4/17/15 1:19 PM, Dmitri Pal wrote:
On 04/17/2015 01:20 PM, Janelle wrote:
I am not sure I get what you are saying. Do you still see the
problem or you misinterpreted the UI and now the problem is gone?
If you did is there any recommendation how to improve the UI not
to confuse people?
On 4/17/15 9:53 AM, Dmitri Pal wrote:
It appears to be the UI. If I go through the steps and let it
"fail", I can still login using OTP to servers. I made the
assumption that the error itself was not an error.. :-)
On 04/17/2015 11:16 AM, Janelle wrote:
Is anyone else having issues with OTP since upgrading? For the
life of me I can't get it to accept "Sync" for the tokens. No
matter what is put in, it just keeps saying the username,
password or tokens entered are incorrect.
To make it simple - I am tryign this on a brand new CentOS 7.1
system with a clean/fresh install of FreeIPA 4.1.4 and yet it
just refuses to work.
I create a user -- configure them. They work just fine with a
password. Then add a token. Sync with FreeOTP and that all
works. Then going back to the web UI and do Sync OTP and it
simply refuses to accept any values. And yet the same user can
login to the regular web UI with their password.
I have tried setting the user to both Password and OTP for
auth methods. And also just OTP and nothing works.
Please look in the logs to see what is going on.
You would need to look at the KDC, http and DS logs on the
server to sort out what is going on.
Do you change the password for the user first after creating him?
Can you reproduce the problem with demo instance?
If you can then we can take a look at the logs right away.
Hints? Am I missing a step?
The problem exists -- this is what it shows:
HOWEVER, it is still WORKING. Meaning, even if you get this error,
if you attempt to login with your FreeOTP token, it WORKS.
Does it give you this error when you use password or password and
Can you please describe the flow of steps in more details?
I start browser, go here, click here, enter this, etc.
Are you using SSSD to login to servers? Is SSSD configured with IPA
provider or you configured it for LDAP manually. There is a
difference between LDAP and Kerberos authentication.
May be the following article will help you to understand the
I suspect it is some combination of flags and protocols that is
Simple. And my test made it simple.
Stand up new vm running fc21/freeipa.
Login to the vm with the user created using password. Kerberos
ticket assigned, all is well.
Login to web interface with admin. Change user to OTP only.
Go to web UI and click sync OTP.
Enter username, password and 2 OTP sequences. Click sync. Error appears.
Now, ssh to same vm using OTP username. Enter password + OTP value.
I can reproduce this issue with demo instance.
I will file a bug later today.
I think it is a bug with sync.
Which token do you use time based or event based?
Hmm, makes me wonder - with HOTP fail the same? Off to try it.
PS - is there a way to sync a token from command line? I can't think
of a way, but maybe...
Yes, there is a command line. But you do not really need to sync it. So
far it works without syncing as you have noticed.
It seems that the bug is with TOTP token. With HOTP token it seems to
I filed a ticket
I also filed another ticket
And another one
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project