Thank you for the reply, Martin. This is what I'd expected, even though I was hoping for a workaround. ;-) The per-service OTP is a hot button for us, as well as sudo. For now, we'll go the PrivacyIDEA + RADIUS route for OTP, and look forward to all the future awesomeness!
-Kurt On 7/24/15, 1:43 AM, "Martin Kosek" <mko...@redhat.com> wrote: >On 07/16/2015 06:58 PM, Bendl, Kurt wrote: >> I'm planning our implementation of IdM/IPA, and I'm unclear about how I >>can implement IPA's OTP for privileged access. >> >> I need to be able to set up systems so: >> * accounts can auth using traditional userid/password >> * privileged access (sudo) requires OTP >> >> We've done some testing, injecting a 3rd party OTP solution >>(PrivacyIDEA) into the mix. This seems to work. But, if I can make IPA's >>built-in mojo work, I'd prefer to keep it all in the family. > >Hello Kurt, > >FreeIPA OTP cannot be configured at the moment to only require OTP in >some >services. We plan this for the future >(https://fedorahosted.org/freeipa/ticket/433), but we are not there yet. > >Sudo is different though as it is not a classic Kerberos service per se, >this >policy would need to be enforced in sudo (SSSD?) itself. CCing Jakub and >Nathaniel, to see if they know about any hack allowing this. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project