Thank you for the reply, Martin.

This is what I'd expected, even though I was hoping for a workaround. ;-)
The per-service OTP is a hot button for us, as well as sudo.
For now, we'll go the PrivacyIDEA + RADIUS route for OTP, and look
forward to all the future awesomeness!


On 7/24/15, 1:43 AM, "Martin Kosek" <> wrote:

>On 07/16/2015 06:58 PM, Bendl, Kurt wrote:
>> I'm planning our implementation of IdM/IPA, and I'm unclear about how I
>>can implement IPA's OTP for  privileged access.
>> I need to be able to set up systems so:
>>   * accounts can auth using traditional userid/password
>>   * privileged access (sudo) requires OTP
>> We've done some testing, injecting a 3rd party OTP solution
>>(PrivacyIDEA) into the mix. This seems to work. But, if I can make IPA's
>>built-in mojo work, I'd prefer to keep it all in the family.
>Hello Kurt,
>FreeIPA OTP cannot be configured at the moment to only require OTP in
>services. We plan this for the future
>(, but we are not there yet.
>Sudo is different though as it is not a classic Kerberos service per se,
>policy would need to be enforced in sudo (SSSD?) itself. CCing Jakub and
>Nathaniel, to see if they know about any hack allowing this.

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to