Kevin Cassar via FreeIPA-users wrote:
Hi all,
In my setup I have TOTP (software token) enabled, and it works as intended. My only
concern is, that I want only the "admin" to be able to generate software tokens,
that they later can assign to users.
Essentially, I want to do away with user-managed tokens, and only have
administrator-managed tokens. I was wondering if such a thing is possible?
It would involve deleting the acis that grant the add/modify rights.
This isn't something we've tested so there could be dragons.
These are actual 389-ds acis and not represented as permissions for
reasons I don't know. You'd have to use ldapmodify or your favorite LDAP
editor to remove the acis.
rob