Thank you for the reply, Martin.
This is what I'd expected, even though I was hoping for a workaround. ;-)
The per-service OTP is a hot button for us, as well as sudo.
For now, we'll go the PrivacyIDEA + RADIUS route for OTP, and look
forward to all the future awesomeness!
On 7/24/15, 1:43 AM, "Martin Kosek" <mko...@redhat.com> wrote:
>On 07/16/2015 06:58 PM, Bendl, Kurt wrote:
>> I'm planning our implementation of IdM/IPA, and I'm unclear about how I
>>can implement IPA's OTP for privileged access.
>> I need to be able to set up systems so:
>> * accounts can auth using traditional userid/password
>> * privileged access (sudo) requires OTP
>> We've done some testing, injecting a 3rd party OTP solution
>>(PrivacyIDEA) into the mix. This seems to work. But, if I can make IPA's
>>built-in mojo work, I'd prefer to keep it all in the family.
>FreeIPA OTP cannot be configured at the moment to only require OTP in
>services. We plan this for the future
>(https://fedorahosted.org/freeipa/ticket/433), but we are not there yet.
>Sudo is different though as it is not a classic Kerberos service per se,
>policy would need to be enforced in sudo (SSSD?) itself. CCing Jakub and
>Nathaniel, to see if they know about any hack allowing this.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project