On 04/29/2016 12:37 PM, Prashant Bapat wrote:
> Hi Petr,
> Thanks for the response. But my question was more towards the cases where
> is a slight delay in entering the OTP in the web UI and it reaching the IPA
> server. This actually can happen with ANY time window.
> There are couple of scenarios.
> 1. Network delays.
> 2. User enters the OTP token and takes a few seconds before pressing submit.
> 3. User has to enter OTP first and then the password. This is the case when
> changing password in IPA at the moment when OTP is on.
Actually password change scenario is:
1. oldpassword + otp
2. old password + otp2 + new password + confirm new password
> Is there a way to make IPA honor either the current token (obviously!) or 1
> elapsed token?
Actually it may be done this way, but I'm not sure.
> This will go a long way in making FreeIPA's OTP implementation much more
Either way, as I said in the previous mail, try HOTP tokens. They don't
use time windows and therefore the above is not an issue.
> On 25 April 2016 at 21:48, Petr Vobornik <pvobo...@redhat.com
> <mailto:pvobo...@redhat.com>> wrote:
> On 04/22/2016 08:55 AM, Prashant Bapat wrote:
> > Hi,
> > We have been using the OTP feature of FreeIPA extensively for users to
> login to
> > the web UI. Now we are rolling out an external service using the LDAP
> > authentication based on FreeIPA and OTP.
> > End users typically login rarely to the web UI. Only to update their
> SSH keys
> > once in 90 days.
> > However to the new service based on FreeIPA's LDAP they would be
> logging in
> > multiple times daily.
> > Here is an observation: FreeIPA's OTP mechanism is very stringent in
> > the current token to be inside the 30 second window. Because of this
> there might
> > be a sizable percentage of users who will have to retry login.
> Obviously, this
> > is a bad user experience.
> > As per the RFC-6238 <http://www.rfc-base.org/txt/rfc-6238.txt> section
> 5.2, we
> > could allow 1 time step and make the user experience better.
> > Can this be done by changing a config or does it involve a
> > Any pointers to this appreciated.
> > Thanks.
> > --Prashant
> FreeIPA works with both time based OTP tokens(TOTP) and counter based
> OTP tokens(HOTP). TOTP uses 30s time interval by default. Administrator
> can set custom clock interval during creation of a token. But
> self-service Web UI doesn't show this option. Users can still use it in
> CLI though.
> Alternative is HOTP which doesn't use time interval and there the UX
> issue is not there. It can be also created in user self service.
> Petr Vobornik
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project