Hi Aurelien,
Yeah, but there is no API in IPA to do that (we did consider it when
writing the code).
I've been working on this issue yesterday, trying to find a
workaround, but my tests didn't give something usable. I've asked the
FreeIPA folks on IRC and they had no solution (but they had meetings,
so maybe later).
There is an API to verify the token during LDAP bind. However, it only considers active
and not disabled tokens.
There is also an API to synchronize token values during LDAP bind. It also only looks into
enabled tokens.
So technically you can have something like:
- create OTP token and mark it disabled
- show OTP token configuration details to a user
- ask user for this token validation: enter a password and a value
- enable token
- verify token
- if verification fails, disable the token again
I've noticed that Christian proposed a possible (hackish) way of
doing
it yesterday evening in the AAA channel, I'll try that on Monday.
Again, there is no API in IPA to do that. Christian suggested a
workaround where we could use a HOTP token to get a similar result,
however the user would still need to enroll the hotp token, so if they
can't enroll their TOTP or if it fails, there's little chance
enrolling the HOTP token will not fail as well.
You can enroll that token automatically and disable it.
--
/ Alexander Bokovoy