Yeah, password + code supplied as single string gets rejected (49, invalid credentials),
but password alone is accepted against the compat tree.
As far as configuration goes, it's an oldish deployment (initially set up in
2012/2013), but has not really deviated from the standard configuration. Users have a
single token code assigned to them, with 2fa configured at the user level like so:
[ ] Password
[ ] RADIUS
[x] Two factor authentication (password + OTP)
There is no global 2fa setting, or any authentication indicators set on hosts.
Not sure what ipa cli combination would highlight the issue, but here's ldapsearch
against a group with trimmed output - right at the end of the email is a log snippet where
I try password + token first, then just password from the device that's doing the
bind.
---
# Standard Tree Password + Token Code = Accept:
ldapsearch -W -D "uid=adamb,cn=users,cn=accounts,dc=virt,dc=ja,dc=net" -b
"cn=adamb,cn=groups,cn=accounts,dc=virt,dc=ja,dc=net"
Enter LDAP Password:
...
# search result
search: 2
result: 0 Success
# Standard Tree Password Only = Reject:
$ ldapsearch -W -D "uid=adamb,cn=users,cn=accounts,dc=virt,dc=ja,dc=net" -b
"cn=adamb,cn=groups,cn=accounts,dc=virt,dc=ja,dc=net"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
# Compat Tree Password + Token Code = Reject:
$ ldapsearch -W -D "uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" -b
"cn=adamb,cn=groups,cn=compat,dc=virt,dc=ja,dc=net"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
# Compat Tree Password Only = Accept:
$ ldapsearch -W -D "uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" -b
"cn=adamb,cn=groups,cn=compat,dc=virt,dc=ja,dc=net"
Enter LDAP Password:
...
# search result
search: 2
result: 0 Success
---
[30/May/2018:10:21:26.075901899 +0000] conn=25163 fd=183 slot=183 SSL connection from
172.25.0.14 to 193.63.72.98
[30/May/2018:10:21:26.117421253 +0000] conn=25163 TLS1.2 256-bit AES-GCM
[30/May/2018:10:21:26.121916838 +0000] conn=25163 op=0 BIND
dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128
version=3
[30/May/2018:10:21:26.122685598 +0000] conn=25163 op=0 RESULT err=0 tag=97 nentries=0
etime=0.0041605195 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net"
[30/May/2018:10:21:26.126405442 +0000] conn=25163 op=1 SRCH
base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(uid=adamb)"
attrs=ALL
[30/May/2018:10:21:26.134445441 +0000] conn=25163 op=1 RESULT err=0 tag=101 nentries=1
etime=0.0008214966
[30/May/2018:10:21:26.143921650 +0000] conn=25163 op=2 BIND
dn="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" method=128 version=3
[30/May/2018:10:21:26.145498150 +0000] conn=25163 op=2 RESULT err=49 tag=97 nentries=0
etime=0.0001858480 - Invalid credentials
[30/May/2018:10:21:26.149772263 +0000] conn=25163 op=3 BIND
dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128
version=3
[30/May/2018:10:21:26.150538751 +0000] conn=25163 op=3 RESULT err=0 tag=97 nentries=0
etime=0.0000946441 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net"
[30/May/2018:10:21:30.950782865 +0000] conn=25163 op=4 UNBIND
[30/May/2018:10:21:30.950833316 +0000] conn=25163 op=4 fd=183 closed - U1
[30/May/2018:10:21:38.056017404 +0000] conn=25164 fd=156 slot=156 SSL connection from
172.25.0.14 to 193.63.72.98
[30/May/2018:10:21:38.096276825 +0000] conn=25164 TLS1.2 256-bit AES-GCM
[30/May/2018:10:21:38.100674075 +0000] conn=25164 op=0 BIND
dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128
version=3
[30/May/2018:10:21:38.101414295 +0000] conn=25164 op=0 RESULT err=0 tag=97 nentries=0
etime=0.0040230747 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net"
[30/May/2018:10:21:38.105289862 +0000] conn=25164 op=1 SRCH
base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(uid=adamb)"
attrs=ALL
[30/May/2018:10:21:38.116056435 +0000] conn=25164 op=1 RESULT err=0 tag=101 nentries=1
etime=0.0011007183
[30/May/2018:10:21:38.120400753 +0000] conn=25164 op=2 BIND
dn="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" method=128 version=3
[30/May/2018:10:21:38.122458980 +0000] conn=25164 op=2 RESULT err=0 tag=97 nentries=0
etime=0.0002267568 dn="uid=adamb,cn=users,cn=accounts,dc=virt,dc=ja,dc=net"
[30/May/2018:10:21:38.126309118 +0000] conn=25164 op=3 BIND
dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128
version=3
[30/May/2018:10:21:38.127108622 +0000] conn=25164 op=3 RESULT err=0 tag=97 nentries=0
etime=0.0001023469 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net"
[30/May/2018:10:21:38.130813363 +0000] conn=25164 op=4 CMP
dn="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net"
attr="uniquemember"
[30/May/2018:10:21:38.130960657 +0000] conn=25164 op=4 RESULT err=53 tag=111 nentries=0
etime=0.0000308287
[30/May/2018:10:21:38.134644827 +0000] conn=25164 op=5 SRCH
base="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" scope=0
filter="(objectClass=*)" attrs="gidNumber"
[30/May/2018:10:21:38.135140752 +0000] conn=25164 op=5 RESULT err=0 tag=101 nentries=1
etime=0.0000733709
[30/May/2018:10:21:38.138916056 +0000] conn=25164 op=6 CMP
dn="cn=opengear-dev-admins,cn=groups,cn=compat,dc=virt,dc=ja,dc=net"
attr="gidNumber"
[30/May/2018:10:21:38.139028891 +0000] conn=25164 op=6 RESULT err=53 tag=111 nentries=0
etime=0.0000308404
[30/May/2018:10:21:38.142852631 +0000] conn=25164 op=7 SRCH
base="cn=compat,dc=virt,dc=ja,dc=net" scope=2
filter="(&(objectClass=posixGroup)(|(memberUid=adamb)(memberUid=uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net)))"
attrs=ALL
[30/May/2018:10:21:38.156708353 +0000] conn=25164 op=7 RESULT err=0 tag=101 nentries=24
etime=0.0014057156
[30/May/2018:10:21:38.167060727 +0000] conn=25164 op=8 SRCH
base="cn=compat,dc=virt,dc=ja,dc=net" scope=2
filter="(&(objectClass=user)(uid=adamb))" attrs="uniqueMember"
[30/May/2018:10:21:38.168177702 +0000] conn=25164 op=8 RESULT err=0 tag=101 nentries=0
etime=0.0001377993
[30/May/2018:10:21:38.171969107 +0000] conn=25164 op=9 SRCH
base="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" scope=0
filter="(objectClass=*)" attrs="gidNumber"
[30/May/2018:10:21:38.172404602 +0000] conn=25164 op=9 RESULT err=0 tag=101 nentries=1
etime=0.0000586344
[30/May/2018:10:21:38.176342697 +0000] conn=25164 op=10 SRCH
base="cn=compat,dc=virt,dc=ja,dc=net" scope=2
filter="(&(objectClass=posixGroup)(gidNumber=606000001))" attrs=ALL
[30/May/2018:10:21:38.177966535 +0000] conn=25164 op=10 RESULT err=0 tag=101 nentries=1
etime=0.0001848763
[30/May/2018:10:21:38.181958348 +0000] conn=25164 op=11 SRCH
base="cn=compat,dc=virt,dc=ja,dc=net" scope=2
filter="(&(objectClass=posixGroup)(|(memberUid=adamb)(memberUid=uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net)))"
attrs=ALL
[30/May/2018:10:21:38.195375411 +0000] conn=25164 op=11 RESULT err=0 tag=101 nentries=24
etime=0.0013589918
[30/May/2018:10:21:38.217773131 +0000] conn=25164 op=12 UNBIND
[30/May/2018:10:21:38.217822659 +0000] conn=25164 op=12 fd=156 closed - U1