On Thu, 2013-10-10 at 12:44 -0400, Dmitri Pal wrote: > On 10/10/2013 10:51 AM, Nathaniel McCallum wrote: > > On Thu, 2013-10-10 at 10:04 +0200, Jan Cholasta wrote: > >> On 12.9.2013 22:47, Nathaniel McCallum wrote: > >>> On Thu, 2013-09-05 at 00:04 -0400, Nathaniel McCallum wrote: > >>>> patch attached > >>> Update for ./makeapi attached. > >>> > >> Is ipaUserAuthType relevant only to Kerberos or to user authentication > >> in general? For example, if "password" is removed from ipaUserAuthType > >> of an user, will I be able to authenticate as that user with LDAP simple > >> authentication? > > If only "otp" is set, yes via password+otp. > > > > If only "radius" is set, this behavior is currently undefined. We should > > probably define it. > > If RADIUS is used you always rely on the external system to provide > authentication for this user. > Is this the definition you are looking for?
For Kerberos, yes. For LDAP, no. For LDAP, if "radius" is present, single factor authentication should probably be permitted. Nathaniel _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
