Sample Header Ad - 728x90

FreeIpa MFA for AD users

0 votes
1 answer
1598 views
freeipa 2-factor-authentication
I've setup FreeIpa POC (centos7, freeipa 4.7, two freeipa servers as multimaster with some clients). Added OTP's for several users and made it work with RADIUS for vpn access authentication purposes. Next, I've added AD trust and I am able to log in as AD user. All groovy. Now I'd like to enforce MFA for AD users by adding OTP tokens for them. Is it possible at all? Since AD user authenticates against AD, shouldn't it be AD who provides MFA? FreeIPA behaves strangely when it comes to AD users (mapped via external group and POSIX group): AD user 'ipatest' is visible with 'id' command (and has it's own UID GID and so on) but cannot be found via 'ipa user-find' command even with specific UID provided: admin@ipa-poc-1 ~ $ id ipatest@lab.trusteddomain.com uid=748801177(ipatest@lab.trusteddomain.com) gid=748801177(ipatest@lab.trusteddomain.com) groups=748801177(ipatest@lab.trusteddomain.com),748800513(domain users@lab.trusteddomain.com),748801180(linuxusers@lab.trusteddomain.com),793600008(ad_users) admin@ipa-poc-1 ~ $ ipa user-find ipatest --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- admin@ipa-poc-1 ~ $ ipa user-find ipatest@lab.trusteddomain.com --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- admin@ipa-poc-1 ~ $ ipa user-find ipatest@TRUSTEDOMAIN-LAB --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 admin@ipa-poc-1 ~ $ ipa user-find uid=748801177 --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- I reckon it is due to th one-way trust with AD domain but not sure here. Since "ipa otptoken-add' command requires 'owner' parameter (type string and doesn't work with UID) I cannot add OTP token for this user. Another approach I've tried (since ipa otptoken-add command by default uses current user as owner) was to log on as AD user and create OTP token 'for myself', but it didn't work either: ipatest@lab.trusteddomain.com@ipa-poc-1 ~ $ kinit ipatest@lab.trusteddomain.com Password for ipatest@lab.trusteddomain.com: ipatest@lab.trusteddomain.com@ipa-poc-1 ~ $ ipa otptoken-add --type='TOTP' ipa: ERROR: cannot connect to 'any of the configured servers': https://ipa-poc-1.lab/ipa/json , https://ipa-poc-2.lab/ipa/json So, to make it short: 1. Is it possible to add OTP token to external AD user? 2. How to do it? rgrds noob
Asked by just_a_noob (101 rep)
Feb 19, 2021, 12:33 PM
Last activity: Feb 19, 2021, 03:27 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "freeipa"
More questions tagged "2-factor-authentication"
Footer Ad - 728x90