Adam Bishop via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
Is there an API endpoint I can use to perform OTP verification
without
the users password (i.e. just with their DN or uid)?
I've got a non-web application with its own authentication system that
I'd like to add MFA to, and I'd rather avoid copying the OTP secrets
to it or re-writing the application.
Not by default. IPA isn't a full RADIUS responder, but ipa-otpd speaks
enough of the protocol to verify the concatenation of password + OTP
code. It accomplishes this by performing an LDAP bind, for which it
needs the user's password. This information isn't otherwise exposed.
Thanks,
--Robbie