On Mon, 2015-05-18 at 07:59 -0500, Janelle wrote: > > > > On May 18, 2015, at 04:31, Martin Kosek <[email protected]> wrote: > > > > > On 05/18/2015 01:49 AM, Janelle wrote: > > > > On 4/28/15 6:44 AM, Nathaniel McCallum wrote: > > > > > On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote: > > > > > > On 4/17/15 5:59 PM, Dmitri Pal wrote: > > > > > > > On 04/17/2015 08:07 PM, Janelle wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Apr 17, 2015, at 16:36, Dmitri Pal <[email protected]> > > > > > > > wrote: > > > > > > > > > > <snip> for shorter thread.... > > > > > > > Simple. And my test made it simple. > > > > > > > Stand up new vm running fc21/freeipa. > > > > > > > Configure user. > > > > > > > Add password. > > > > > > > Add token. > > > > > > > > > > > > > > Login to the vm with the user created using password. > > > > > > > Kerberos > > > > > > > ticket assigned, all is well. > > > > > > > > > > > > > > Login to web interface with admin. Change user to OTP > > > > > > > only. > > > > > > > Go to web UI and click sync OTP. > > > > > > > Enter username, password and 2 OTP sequences. Click sync. > > > > > > > Error > > > > > > > appears. > > > > > > > > > > > > > > Now, ssh to same vm using OTP username. Enter password + > > > > > > > OTP > > > > > > > value. > > > > > > > Login successful. > > > > > > I can reproduce this issue with demo instance. > > > > > > I will file a bug later today. > > > > > > I think it is a bug with sync. > > > > > > Which token do you use time based or event based? > > > > > TOTP... > > > > > > > > > > Hmm, makes me wonder - with HOTP fail the same? Off to try > > > > > it. > > > > This should just affect TOTP. I have posted a patch that should > > > > fix > > > > this problem. Are you able to test it? > > > > > > > > https://www.redhat.com/archives/freeipa-devel/2015 > > > > -April/msg00282.html > > > > > > > > > > > Sorry - I just got around to testing this and it does resolve the > > > problem - > > > HOWEVER, you took away the ability to "Name" the tokens? They are > > > now > > > "assigned" unique IDs?? > > > > > > Was this intentional? > > > > It was, we track this (half-done) change in this ticket: > > https://fedorahosted.org/freeipa/ticket/4456 > > > > The main problem here is that user token names share the same name > > space and we > > thus do not want to create completely arbitrary names as they would > > collide. > > > > Applications like FreeOTP allow users to set own labels, so this is > > IMO the way > > how to add friendly names to the OTP tokens. > > > > Martin > > > > Makes sense, my only concern is syncing tokens. Once you add a > second to,en and want to sync it you have to give it a token ID, > otherwise it does not know which to sync. In the past if you named > it, that was easy, but it does not seem to take description field as > a token name. Guess I need to tell my users it is cut/paste time, or > is there another option perhaps?
You do not need to specify the token id when syncing. It is optional. If you leave it blank, FreeIPA will do the right thing. > Also, I was wondering, looking for a way to use both FreeOTP and > yubikey and wondering if anyone has tried this and possible caveats? There shouldn't be any caveats. Yubikey is just an HOTP token. Nathaniel -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
