freeipa/doc/api/config_mod.md
Alexander Bokovoy 1d2897e3d7 ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
When authentication indicators were introduced in 2016, ipa-pwd-extop
plugin gained ability to reject LDAP BIND when an LDAP client insists
the authentication must use an OTP token. This is used by ipa-otpd to
ensure Kerberos authentication using OTP method is done with at least
two factors (the token and the password).

This enfrocement is only possible when an LDAP client sends the LDAP
control. There are cases when LDAP clients cannot be configured to send
a custom LDAP control during BIND operation. For these clients an LDAP
BIND against an account that only has password and no valid token would
succeed even if admins intend it to fail.

Ability to do LDAP BIND without a token was added to allow users to add
their own OTP tokens securely. If administrators require full
enforcement over LDAP BIND, it is cannot be achieved with LDAP without
sending the LDAP control to do so.

Add IPA configuration string, EnforceLDAPOTP, to allow administrators to
prevent LDAP BIND with a password only if user is required to have OTP
tokens. With this configuration enabled, it will be not possible for
users to add OTP token if one is missing, thus ensuring no user can
authenticate without OTP and admins will have to add initial OTP tokens
to users explicitly.

Fixes: https://pagure.io/freeipa/issue/5169

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-12 13:53:11 +01:00

2.0 KiB

config_mod

Modify configuration options.

Arguments

No arguments.

Options

  • rights : :ref:Flag<Flag> (Required)
  • Default: False
  • all : :ref:Flag<Flag> (Required)
  • Default: False
  • raw : :ref:Flag<Flag> (Required)
  • Default: False
  • ipamaxusernamelength : :ref:Int<Int>
  • ipamaxhostnamelength : :ref:Int<Int>
  • ipahomesrootdir : :ref:IA5Str<IA5Str>
  • ipadefaultloginshell : :ref:Str<Str>
  • ipadefaultprimarygroup : :ref:Str<Str>
  • ipadefaultemaildomain : :ref:Str<Str>
  • ipasearchtimelimit : :ref:Int<Int>
  • ipasearchrecordslimit : :ref:Int<Int>
  • ipausersearchfields : :ref:IA5Str<IA5Str>
  • ipagroupsearchfields : :ref:IA5Str<IA5Str>
  • ipamigrationenabled : :ref:Bool<Bool>
  • ipagroupobjectclasses : :ref:Str<Str>
  • ipauserobjectclasses : :ref:Str<Str>
  • ipapwdexpadvnotify : :ref:Int<Int>
  • ipaconfigstring : :ref:StrEnum<StrEnum>
  • Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs', 'EnforceLDAPOTP')
  • ipaselinuxusermaporder : :ref:Str<Str>
  • ipaselinuxusermapdefault : :ref:Str<Str>
  • ipakrbauthzdata : :ref:StrEnum<StrEnum>
  • Values: ('MS-PAC', 'PAD', 'nfs:NONE')
  • ipauserauthtype : :ref:StrEnum<StrEnum>
  • Values: ('password', 'radius', 'otp', 'pkinit', 'hardened', 'idp', 'passkey', 'disabled')
  • ipauserdefaultsubordinateid : :ref:Bool<Bool>
  • ca_renewal_master_server : :ref:Str<Str>
  • ipadomainresolutionorder : :ref:Str<Str>
  • enable_sid : :ref:Flag<Flag>
  • Default: False
  • add_sids : :ref:Flag<Flag>
  • Default: False
  • netbios_name : :ref:Str<Str>
  • setattr : :ref:Str<Str>
  • addattr : :ref:Str<Str>
  • delattr : :ref:Str<Str>
  • version : :ref:Str<Str>

Output

Name Type
result Entry
summary Output
value PrimaryKey

Semantics

Notes

Version differences