[Freeipa-users] Re: Time based OTP enabling

2019-06-13 Thread Eric via FreeIPA-users 
Thanks Rob, will do 


 
 
  On Thu, Jun 13, 2019 at 1:45 PM, Rob Crittenden wrote:   
Eric Fredrickson via FreeIPA-users wrote:
> Hello,
> 
> I was wondering if there was a way or if this is on the roadmap for future 
> work.  I have a use case where I'd like to create a user account, but add a 
> rule where OTP must be assigned to the account within a certain time period 
> (e.g. 24 hours).  If not, the account is disabled.  This leaves the end user 
> with the ability to create their OTP and not have to distribute any secret 
> keys/screenshots of the QR code, while removing administrative burden of 
> manually checking accounts if they have OTP enabled.

There is no sort of rule engine in IPA where you can conditionally
disable accounts. There are similar RFEs for disabling on conditions,
for example due to inactivity, https://fedorahosted.org/freeipa/ticket/4975

Might be worth filing a separate ticket with your use case and
mentioning it in the other ticket so a generic solution can be created.

rob

  
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP

2018-11-16 Thread Eric via FreeIPA-users 
Any luck yet, Kevin?  No luck here yet. 


 
 
  On Fri, Nov 9, 2018 at 10:56 PM, Kevin Vasko wrote:   I’m 
following this because I’m having same issue. Since the OpenVPN client won’t 
prompt twice for the second factor I know you have to do the whole 
“password+otp” (without the +) but keep getting invalid password.

-Kevin

> On Nov 8, 2018, at 12:51 PM, Eric Fredrickson via FreeIPA-users 
>  wrote:
> 
> Hello everyone,
> 
> I'm having an issue with OTP when logging into a vpn server that is a client 
> of FreeIPA.  I can login with no issues when OTP is disabled.
> 
> FreeIPA Setup:
> CentOS 7.5
> FreeIPA 4.5.4
> 
> HBAC Service: openvpn
> HBAC Rule:
> [root@ipa ~]# ipa hbacrule-show openvpn_access
> Rule name: openvpn_access
> Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service.
> Enabled: TRUE
> Users: 
> Hosts: vpnhost.localdomain.local
> Services: openvpn
> 
> User account:
> [root@ipa ~]# ipa user-show 
>  User login: 
>  First name: 
>  Last name: 
>  Home directory: /home/
>  Login shell: /bin/bash
>  Principal name: 
>  Principal alias: 
>  Email address: 
>  UID: 190963
>  GID: 190963
>  User authentication types: otp
>  Certificate: 
>  Account disabled: False
>  Password: True
>  Member of groups: vpn_users
>  Member of HBAC rule: openvpn_access
>  Indirect Member of HBAC rule: user_ipa_access
>  Kerberos keys available: True
> 
> OpenVPN server:
> /etc/pam.d/openvpn
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        required      pam_faildelay.so delay=200
> auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 
> 1000 quiet
> auth        [default=1 ignore=ignore success=ok] pam_localuser.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite    pam_succeed_if.so uid >= 1000 quiet_success
> auth        sufficient    pam_sss.so forward_pass
> auth        required      pam_deny.so
> 
> account    required      pam_unix.so
> account    sufficient    pam_localuser.so
> account    sufficient    pam_succeed_if.so uid < 1000 quiet
> account    [default=bad success=ok user_unknown=ignore] pam_sss.so
> account    required      pam_permit.so
> 
> password    requisite    pam_pwquality.so try_first_pass local_users_only 
> retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
> password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass 
> use_authtok
> password    sufficient    pam_sss.so use_authtok
> 
> 
> password    required      pam_deny.so
> 
> session    optional      pam_keyinit.so revoke
> session    required      pam_limits.so
> -session    optional      pam_systemd.so
> session    optional      pam_oddjob_mkhomedir.so umask=0077
> session    [success=1 default=ignore] pam_succeed_if.so service in crond 
> quiet use_uid
> session    required      pam_unix.so
> session    optional      pam_sss.so
> 
> server.conf
> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
> 
> 
> Any help would be greatly appreciated.  Any other information that you may 
> need, please feel free to ask.  I've read multiple threads, some have gotten 
> it to work without posting answers, some have not and has stated openvpn does 
> not support multiple prompts.
> 
> Eric
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>   
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org