On 07/16/2015 06:58 PM, Bendl, Kurt wrote:
I'm planning our implementation of IdM/IPA, and I'm unclear about how I can 
implement IPA's OTP for  privileged access.

I need to be able to set up systems so:
  * accounts can auth using traditional userid/password
  * privileged access (sudo) requires OTP

We've done some testing, injecting a 3rd party OTP solution (PrivacyIDEA) into 
the mix. This seems to work. But, if I can make IPA's built-in mojo work, I'd 
prefer to keep it all in the family.

Hello Kurt,

FreeIPA OTP cannot be configured at the moment to only require OTP in some services. We plan this for the future (https://fedorahosted.org/freeipa/ticket/433), but we are not there yet.

Sudo is different though as it is not a classic Kerberos service per se, this policy would need to be enforced in sudo (SSSD?) itself. CCing Jakub and Nathaniel, to see if they know about any hack allowing this.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to