Andrey Dudin <dudin.and...@gmail.com> writes:
> I trying to use OTP auth in Freeipa but have some problems.
OTP (with RADIUS) works for me.
> I have user *test:*
> [root@ipa-centos]# ipa user-show test
Did you enable --user-auth-type=otp with "ipa config-mod"? I have:
[root@freeipa1 log]# ipa config-show --raw
Look at the mouse-over-docs in Webui -> IPA-Server -> Configuration ->
User Authentication Types for more info.
Otherwise, you need to enable --user-auth-type=otp for your user. I
have for RADIUS both password and radius for my OTP user:
[root@freeipa1 log]# ipa user-show jochen --raw
If you need both password and otp, use both --user-auth-type=password
and --user-auth-type=otp for "ipa user-mod" or "ipa config-mod".
When I do a "su - jochen", I get asked for "First Factor" and "Second
Factor", since sssd knows I use RADIUS for OTP. That might be easier to
first test that you can authenticate with OTP.
> Server with FreeIpa:
> [root@ipa-centos]# ipa host-show ipa-centos.mydomain.com
> Authentication Indicators: otp
Is there a simple way to check on the command line, whether or not an
authentication indicator was set when authenticating? I can't remember
anything from reading the docs - I expected some option for klist.
This space is intentionally left blank.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project