> On May 18, 2015, at 04:31, Martin Kosek <mko...@redhat.com> wrote:
>> On 05/18/2015 01:49 AM, Janelle wrote:
>>> On 4/28/15 6:44 AM, Nathaniel McCallum wrote:
>>>> On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote:
>>>>> On 4/17/15 5:59 PM, Dmitri Pal wrote:
>>>>>> On 04/17/2015 08:07 PM, Janelle wrote:
>>>>>> On Apr 17, 2015, at 16:36, Dmitri Pal <d...@redhat.com> wrote:
>> <snip> for shorter thread....
>>>>>> Simple. And my test made it simple.
>>>>>> Stand up new vm running fc21/freeipa.
>>>>>> Configure user.
>>>>>> Add password.
>>>>>> Add token.
>>>>>> Login to the vm with the user created using password. Kerberos
>>>>>> ticket assigned, all is well.
>>>>>> Login to web interface with admin. Change user to OTP only.
>>>>>> Go to web UI and click sync OTP.
>>>>>> Enter username, password and 2 OTP sequences. Click sync. Error
>>>>>> appears.
>>>>>> Now, ssh to same vm using OTP username. Enter password + OTP
>>>>>> value.
>>>>>> Login successful.
>>>>> I can reproduce this issue with demo instance.
>>>>> I will file a bug later today.
>>>>> I think it is a bug with sync.
>>>>> Which token do you use time based or event based?
>>>> TOTP...
>>>> Hmm, makes me wonder - with HOTP fail the same? Off to try it.
>>> This should just affect TOTP. I have posted a patch that should fix
>>> this problem. Are you able to test it?
>>> https://www.redhat.com/archives/freeipa-devel/2015-April/msg00282.html
>> Sorry - I just got around to testing this and it does resolve the problem -
>> HOWEVER, you took away the ability to "Name" the tokens? They are now
>> "assigned" unique IDs??
>> Was this intentional?
> It was, we track this (half-done) change in this ticket:
> https://fedorahosted.org/freeipa/ticket/4456
> The main problem here is that user token names share the same name space and 
> we
> thus do not want to create completely arbitrary names as they would collide.
> Applications like FreeOTP allow users to set own labels, so this is IMO the 
> way
> how to add friendly names to the OTP tokens.
> Martin

Makes sense, my only concern is syncing tokens.  Once you add a second to,en 
and want to sync it you have to give it a token ID, otherwise it does not know 
which to sync. In the past if you named it, that was easy, but it does not seem 
to take description field as a token name. Guess I need to tell my users it is 
cut/paste time, or is there another option perhaps?

Also, I was wondering, looking for a way to use both FreeOTP and yubikey and 
wondering if anyone has tried this and possible caveats?


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to