On ma, 10 loka 2022, Salva salva via FreeIPA-users wrote:
Hi,
So we are using freeIPA and it works really well.
We are now in the situation where we would like to use Password+OTP for some stuff but not
for others.
For example, it's totally fine to use password+OTP when doing sudo but when using
Nexus authenitcation against LDAP we would like to not use OTP.
Is this possible?
This question is asked regularly. Please read one of previous threads:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
One correction to my answer in that thread is that while either password
or password+OTP use in LDAP bind works right now, it is not something we
intended to make working in general. LDAP binds are very limiting as
there are not many clients that know and perform multi-stage binds with
possible message exchanges as required for support of more complex
authentication methods in FreeIPA. For example, use of external IdP
authentication is not integrated with LDAP binds directly, so if you'd
switch your users to OAuth authorization, they will not be able to bind
through LDAP directly unless they'd use Kerberos tickets received from
OAuth exchange (FreeIPA 4.9.10 or later).
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland