mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
051d61fdc3
For users who has no OTP tokens defined (yet), a missing token should not be seen as a failure. This is needed to allow a basic password change. The logic around enforcement of OTP over LDAP bind is the following: ---------------------------------------------------------------------- - when LDAP OTP control is requested by the LDAP client, OTP is explicitly required - when EnforceLDAPOTP is set in the IPA configuration, OTP is implicitly required, regardless of the state of LDAP client In either case, only users with 'user-auth-type: otp' are allowed to authenticate. If these users have no OTP token associated yet, they will be allowed to authenticate with their password. This is to allow initial password change and adding an OTP token. ---------------------------------------------------------------------- Implement test that simulates lifecycle for new user who get to change their password before adding an OTP token. Related: https://pagure.io/freeipa/issue/5169 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> |
||
---|---|---|
.. | ||
dnssec | ||
ipa-kdb | ||
ipa-otpd | ||
ipa-sam | ||
ipa-slapi-plugins | ||
ipa-version.h.in | ||
Makefile.am |