On 2017-05-17 12:06, Andrey Dudin wrote: > Hello > > If I do ipa user-mod test --user-auth-type=password > --user-auth-type=otp I have user: > > [root@ipa-centos]# ipa user-show test > User login: test > First name: test > Last name: test > Home directory: /home/test > Login shell: /bin/sh > Principal name: t...@mydomain.com <mailto:t...@mydomain.com> > Principal alias: t...@mydomain.com <mailto:t...@mydomain.com> > Email address: t...@mydomain.com <mailto:t...@mydomain.com> > UID: 152200001 > GID: 152200001 > User authentication types: otp, password > Account disabled: False > Password: True > Member of groups: trust admins, ipausers, admins > Kerberos keys available: True > > I can login into ipa-client.mydomain.com > <http://ipa-client.mydomain.com> to ssh using password+otp token, but > for login to IPA Web UI I also need password+otp. I need just password > for IPA Web UI and password+otp token for ssh on ipa-client.mydomain.com > <http://ipa-client.mydomain.com>. It's currently not possible to use password-only login when both 2FA and password-only are enabled for a user. It's a limitation of the web UI. I filed a bug report to track the issue, https://pagure.io/freeipa/issue/7068
Regards, Christian -- Christian Heimes Senior Software Engineer, Identity Management and Platform Security Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
signature.asc
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org