summaryrefslogtreecommitdiffstats
path: root/install/share/70ipaotp.ldif
Commit message (Collapse)AuthorAgeFilesLines
* Revert "Make all ipatokenTOTP attributes mandatory"Jan Cholasta2015-01-211-1/+1
| | | | | | | | | | | | This prevents schema replication conflicts which cause replication failures with older versions of IPA. Details in https://bugzilla.redhat.com/show_bug.cgi?id=1176995#c7 This reverts commit adcd373931c50d91550f6b74b191d08ecce5b137. https://fedorahosted.org/freeipa/ticket/4833 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Make token auth and sync windows configurableNathaniel McCallum2014-12-051-0/+5
| | | | | | | | | | | This introduces two new CLI commands: * otpconfig-show * otpconfig-mod https://fedorahosted.org/freeipa/ticket/4511 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add TOTP watermark supportNathaniel McCallum2014-07-251-1/+2
| | | | | | | | | | | | | | | | This prevents the reuse of TOTP tokens by recording the last token interval that was used. This will be replicated as normal. However, this patch does not increase the number of writes to the database in the standard authentication case. This is because it also eliminates an unnecessary write during authentication. Hence, this patch should be write-load neutral with the existing code. Further performance enhancement is desired, but is outside the scope of this patch. https://fedorahosted.org/freeipa/ticket/4410 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add support for managedBy to tokensNathaniel McCallum2014-06-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This also constitutes a rethinking of the token ACIs after the introduction of SELFDN support. Admins, as before, have full access to all token permissions. Normal users have read/search/compare access to all of the non-secret data for tokens assigned to them, whether managed by them or not. Users can add tokens if, and only if, they will also manage this token. Managers can also read/search/compare tokens they manage. Additionally, they can write non-secret data to their managed tokens and delete them. When a normal user self-creates a token (the default behavior), then managedBy is automatically set. When an admin creates a token for another user (or no owner is assigned at all), then managed by is not set. In this second case, the token is effectively read-only for the assigned owner. This behavior enables two important other behaviors. First, an admin can create a hardware token and assign it to the user as a read-only token. Second, when the user is deleted, only his self-managed tokens are deleted. All other (read-only) tokens are instead orphaned. This permits the same token object to be reasigned to another user without loss of any counter data. https://fedorahosted.org/freeipa/ticket/4228 https://fedorahosted.org/freeipa/ticket/4259 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Make all ipatokenTOTP attributes mandatoryNathaniel McCallum2014-02-211-1/+1
| | | | | | | | Originally we made them all optional as a workaround for the lack of SELFDN support in 389DS. However, with the advent of SELFDN, this hack is no longer necessary. This patch updates TOTP to match HOTP in this regard. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-0/+2
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add RADIUS proxy support to ipalib CLINathaniel McCallum2013-12-031-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3368
* Make schema files conform to new updaterPetr Viktorin2013-11-181-2/+2
| | | | | | | | | | | | | | | | | The new schema updater only compares textual representations of schema elements, as formatted by python-ldap. This works well, but it is too strict for the current schema files in two ways: - For attribute names in MAY and MUST, the correct letter case must be used - AttributeTypes must specify explicit EQUALITY and SYNTAX fields even if they are the same as its supertype's. When these restrictions are not followed, the updater will always overwrite the schema element. This is harmless but it fills up the log unnecessarily. Modify the schema files to conform to these restrictions. Part of the work for https://fedorahosted.org/freeipa/ticket/3454 Note: git's --word-diff option is recommended for viewing these changes
* Fix for small syntax error in OTP schemaNathaniel McCallum2013-07-111-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3765
* Add IPA OTP schema and ACLsNathaniel McCallum2013-05-171-0/+28
This commit adds schema support for two factor authentication via OTP devices, including RADIUS or TOTP. This schema will be used by future patches which will enable two factor authentication directly. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
generated by cgit (git 2.34.1) at 2024-08-04 00:33:52 +0000