mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
1d2897e3d7
When authentication indicators were introduced in 2016, ipa-pwd-extop plugin gained ability to reject LDAP BIND when an LDAP client insists the authentication must use an OTP token. This is used by ipa-otpd to ensure Kerberos authentication using OTP method is done with at least two factors (the token and the password). This enfrocement is only possible when an LDAP client sends the LDAP control. There are cases when LDAP clients cannot be configured to send a custom LDAP control during BIND operation. For these clients an LDAP BIND against an account that only has password and no valid token would succeed even if admins intend it to fail. Ability to do LDAP BIND without a token was added to allow users to add their own OTP tokens securely. If administrators require full enforcement over LDAP BIND, it is cannot be achieved with LDAP without sending the LDAP control to do so. Add IPA configuration string, EnforceLDAPOTP, to allow administrators to prevent LDAP BIND with a password only if user is required to have OTP tokens. With this configuration enabled, it will be not possible for users to add OTP token if one is missing, thus ensuring no user can authenticate without OTP and admins will have to add initial OTP tokens to users explicitly. Fixes: https://pagure.io/freeipa/issue/5169 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2.0 KiB
2.0 KiB
config_mod
Modify configuration options.
Arguments
No arguments.
Options
- rights : :ref:
Flag<Flag>
(Required) - Default: False
- all : :ref:
Flag<Flag>
(Required) - Default: False
- raw : :ref:
Flag<Flag>
(Required) - Default: False
- ipamaxusernamelength : :ref:
Int<Int>
- ipamaxhostnamelength : :ref:
Int<Int>
- ipahomesrootdir : :ref:
IA5Str<IA5Str>
- ipadefaultloginshell : :ref:
Str<Str>
- ipadefaultprimarygroup : :ref:
Str<Str>
- ipadefaultemaildomain : :ref:
Str<Str>
- ipasearchtimelimit : :ref:
Int<Int>
- ipasearchrecordslimit : :ref:
Int<Int>
- ipausersearchfields : :ref:
IA5Str<IA5Str>
- ipagroupsearchfields : :ref:
IA5Str<IA5Str>
- ipamigrationenabled : :ref:
Bool<Bool>
- ipagroupobjectclasses : :ref:
Str<Str>
- ipauserobjectclasses : :ref:
Str<Str>
- ipapwdexpadvnotify : :ref:
Int<Int>
- ipaconfigstring : :ref:
StrEnum<StrEnum>
- Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs', 'EnforceLDAPOTP')
- ipaselinuxusermaporder : :ref:
Str<Str>
- ipaselinuxusermapdefault : :ref:
Str<Str>
- ipakrbauthzdata : :ref:
StrEnum<StrEnum>
- Values: ('MS-PAC', 'PAD', 'nfs:NONE')
- ipauserauthtype : :ref:
StrEnum<StrEnum>
- Values: ('password', 'radius', 'otp', 'pkinit', 'hardened', 'idp', 'passkey', 'disabled')
- ipauserdefaultsubordinateid : :ref:
Bool<Bool>
- ca_renewal_master_server : :ref:
Str<Str>
- ipadomainresolutionorder : :ref:
Str<Str>
- enable_sid : :ref:
Flag<Flag>
- Default: False
- add_sids : :ref:
Flag<Flag>
- Default: False
- netbios_name : :ref:
Str<Str>
- setattr : :ref:
Str<Str>
- addattr : :ref:
Str<Str>
- delattr : :ref:
Str<Str>
- version : :ref:
Str<Str>
Output
Name | Type |
---|---|
result | Entry |
summary | Output |
value | PrimaryKey |