Use case: - Ipa user has an OTP. - Policy is set to do either OTP or password - User is exposed in the compat plugin
It is already known in this case that is user authenticates Kerberos against KDC he is required to use 2FA. If you binds via LDAP he is not required to use 2FA. However it is unknown what would be the behavior in this case.
I suspect that since the authentication will be done by the SSSD on the host and SSSD is by default configured to use Kerberos it will be kerberos authentication thus the rule of the Kerberos policy will apply but this should be confirmed.
To test try with just password and with password+OTP
Nathaniel is investigating.
After testing, LDAP bind behaves exactly the same regardless of whether or not the compat DN is used for binding.
Thanks for confirmation. Can you please update the OTP design page with section about how compat tree behaves, with respect to OTP?
4.1.3 was released.
http://www.freeipa.org/page/V4/OTP#Implementation
Metadata Update from @dpal: - Issue assigned to npmccallum - Issue set to the milestone: FreeIPA 4.1.4
Login to comment on this ticket.