[Freeipa-devel] [PATCH 0015] Add support for managing user auth types
Dmitri Pal
dpal at redhat.com
Thu Oct 10 19:53:05 UTC 2013
On 10/10/2013 03:13 PM, Nathaniel McCallum wrote:
> On Thu, 2013-10-10 at 12:44 -0400, Dmitri Pal wrote:
>> On 10/10/2013 10:51 AM, Nathaniel McCallum wrote:
>>> On Thu, 2013-10-10 at 10:04 +0200, Jan Cholasta wrote:
>>>> On 12.9.2013 22:47, Nathaniel McCallum wrote:
>>>>> On Thu, 2013-09-05 at 00:04 -0400, Nathaniel McCallum wrote:
>>>>>> patch attached
>>>>> Update for ./makeapi attached.
>>>>>
>>>> Is ipaUserAuthType relevant only to Kerberos or to user authentication
>>>> in general? For example, if "password" is removed from ipaUserAuthType
>>>> of an user, will I be able to authenticate as that user with LDAP simple
>>>> authentication?
>>> If only "otp" is set, yes via password+otp.
>>>
>>> If only "radius" is set, this behavior is currently undefined. We should
>>> probably define it.
>> If RADIUS is used you always rely on the external system to provide
>> authentication for this user.
>> Is this the definition you are looking for?
> For Kerberos, yes. For LDAP, no. For LDAP, if "radius" is present,
> single factor authentication should probably be permitted.
>
> Nathaniel
>
Why you think they should be inconsistent?
If you want to have this case covered I think we need a separate type
something like "kerberos_radius" which will work only in kerberos but
not in LDAP.
But IMO such mode will create a lot of confusion.
We can also do "kerberos_radius_ldap_pwd_and_radius" that would allow
radius for kerberos and allow local LDAP password or RADIUS for bind but
I do not see a reason for this case.
Can you explain?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list