Alexander Bokovoy 051d61fdc3 ipa-pwd-extop: differentiate OTP requirements in LDAP binds ... For users who has no OTP tokens defined (yet), a missing token should not be seen as a failure. This is needed to allow a basic password change. The logic around enforcement of OTP over LDAP bind is the following: ---------------------------------------------------------------------- - when LDAP OTP control is requested by the LDAP client, OTP is explicitly required - when EnforceLDAPOTP is set in the IPA configuration, OTP is implicitly required, regardless of the state of LDAP client In either case, only users with 'user-auth-type: otp' are allowed to authenticate. If these users have no OTP token associated yet, they will be allowed to authenticate with their password. This is to allow initial password change and adding an OTP token. ---------------------------------------------------------------------- Implement test that simulates lifecycle for new user who get to change their password before adding an OTP token. Related: https://pagure.io/freeipa/issue/5169 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>		2024-07-17 09:06:14 +02:00
..
dnssec	pylint: remove useless suppression	2023-01-10 08:30:58 +01:00
ipa-kdb	kdb: apply combinatorial logic for ticket flags	2024-06-10 12:46:05 +02:00
ipa-otpd	ipa-otpd: add passkey_child_debug_level option	2023-06-01 08:20:37 +02:00
ipa-sam	ipasam: make krbtgt TDO principal canonical	2024-01-23 13:19:37 +01:00
ipa-slapi-plugins	ipa-pwd-extop: differentiate OTP requirements in LDAP binds	2024-07-17 09:06:14 +02:00
ipa-version.h.in	Build: move version handling from Makefile to configure	2016-11-09 13:08:32 +01:00
Makefile.am	build: Unify compiler warning flags used	2021-01-15 14:11:56 +01:00