On Mon, Dec 16, 2019 at 08:29:16AM -0500, Michael Deffenbaugh wrote:
> Hey Sumit, I pasted it here: https://paste.centos.org/view/6ea2a800
Thanks,
please remove the
krbExtraData: AAtvdHAAW3siaW5kaWNhdG9ycyI6IFsib3RwIl19XQA=
Iirc 'ipa user-mod' cannot handle binary data, so you need a LDAP editor
or use ldapmodify directly. Do you know how to do it?
bye,
Sumit
>
> Max time is 1 day so if you need me to re-paste it let me know. Thanks
> again!
>
> On Mon, Dec 16, 2019 at 6:55 AM Sumit Bose via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
> > On Wed, Dec 04, 2019 at 12:44:59PM -0500, Michael Deffenbaugh via
> > FreeIPA-users wrote:
> > > Hey Sumit, thank you for the reply.
> > >
> > > I'm pretty sure I had set it on a per user basis, but it might have been
> > > globally. I removed the OTP setting using the WebUI in both the default
> > > user config (Global settings), and I forced my user (one of the accounts
> > > experiencing the issue) to password only. This is reflected correctly at
> > > the command line too.
> > >
> > > ipa config-show
> > > ...
> > > Default user authentication types: password
> > >
> > > and ipa user-show <my username>
> > > ...
> > > User authentication types: password
> > >
> > > Is there something I'm missing? Thanks!
> >
> > Hi,
> >
> > can you send the output of
> >
> > ipa user-show --all --raw <my username>
> >
> > I'm especially interested in the 'krbExtraData' attributes, feel free
> > to drop or sanitize the other attributes.
> >
> > bye,
> > Sumit
> >
> > >
> > > Regards,
> > > Mike
> > >
> > >
> > > On Wed, Dec 4, 2019 at 12:35 PM Sumit Bose <sbose@redhat.com> wrote:
> > >
> > > > On Wed, Dec 04, 2019 at 02:15:59PM -0000, Michael Deffenbaugh via
> > > > FreeIPA-users wrote:
> > > > > I'm having an issue where users who were previously enrolled in OTP
> > (and
> > > > had it enforced) which then were removed from OTP and have no tokens
> > are
> > > > still prompted for "First Factor/Second Factor". Up until recently
> > this
> > > > has been an inconvenience as a user could just leave the field blank
> > and it
> > > > would authenticate; they would only have to wait for IPA to process the
> > > > non-existent OTP token.
> > > > >
> > > > > Recently I've ran across an application which doesnt support OTP
> > > > prompting at all, and the fact that users are getting prompted for
> > > > First/Second factor breaks the application. While I do have a github
> > issue
> > > > in with the project to properly support OTP, there should be some way
> > to
> > > > disable the MFA prompt that users are getting (via PAM/SSSD?) given
> > we're
> > > > no longer using it. Any thoughts as to where I should look? There's a
> > > > fair amount of documentation on how to enable it, less so on disabling
> > it.
> > > > Thanks in advance!
> > > >
> > > > Hi,
> > > >
> > > > how did you enable OTP? Globally with
> > > >
> > > > ipa config-mod --user-auth-type=...
> > > >
> > > > or individually for each user with
> > > >
> > > > ipa user-mod --user-auth-type=...
> > > >
> > > > Depending on this you should remove 'otp' either from the global
> > > > configuration or for each user.
> > > >
> > > > HTH
> > > >
> > > > bye,
> > > > Sumit
> > > >
> > > > >
> > > > > Regards,
> > > > > Mike
> > > > > _______________________________________________
> > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > > > To unsubscribe send an email to
> > > > freeipa-users-leave@lists.fedorahosted.org
> > > > > Fedora Code of Conduct:
> > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives:
> > > >
> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > >
> > > >
> >
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > To unsubscribe send an email to
> > freeipa-users-leave@lists.fedorahosted.org
> > > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >