> On May 18, 2015, at 04:31, Martin Kosek <mko...@redhat.com> wrote: > >> On 05/18/2015 01:49 AM, Janelle wrote: >>> On 4/28/15 6:44 AM, Nathaniel McCallum wrote: >>>> On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote: >>>>> On 4/17/15 5:59 PM, Dmitri Pal wrote: >>>>>> On 04/17/2015 08:07 PM, Janelle wrote: >>>>>> >>>>>> >>>>>> >>>>>> On Apr 17, 2015, at 16:36, Dmitri Pal <d...@redhat.com> wrote: >>>>>> >> <snip> for shorter thread.... >>>>>> Simple. And my test made it simple. >>>>>> Stand up new vm running fc21/freeipa. >>>>>> Configure user. >>>>>> Add password. >>>>>> Add token. >>>>>> >>>>>> Login to the vm with the user created using password. Kerberos >>>>>> ticket assigned, all is well. >>>>>> >>>>>> Login to web interface with admin. Change user to OTP only. >>>>>> Go to web UI and click sync OTP. >>>>>> Enter username, password and 2 OTP sequences. Click sync. Error >>>>>> appears. >>>>>> >>>>>> Now, ssh to same vm using OTP username. Enter password + OTP >>>>>> value. >>>>>> Login successful. >>>>> I can reproduce this issue with demo instance. >>>>> I will file a bug later today. >>>>> I think it is a bug with sync. >>>>> Which token do you use time based or event based? >>>> TOTP... >>>> >>>> Hmm, makes me wonder - with HOTP fail the same? Off to try it. >>> This should just affect TOTP. I have posted a patch that should fix >>> this problem. Are you able to test it? >>> >>> https://www.redhat.com/archives/freeipa-devel/2015-April/msg00282.html >>> >>> >> Sorry - I just got around to testing this and it does resolve the problem - >> HOWEVER, you took away the ability to "Name" the tokens? They are now >> "assigned" unique IDs?? >> >> Was this intentional? > > It was, we track this (half-done) change in this ticket: > https://fedorahosted.org/freeipa/ticket/4456 > > The main problem here is that user token names share the same name space and > we > thus do not want to create completely arbitrary names as they would collide. > > Applications like FreeOTP allow users to set own labels, so this is IMO the > way > how to add friendly names to the OTP tokens. > > Martin >
Makes sense, my only concern is syncing tokens. Once you add a second to,en and want to sync it you have to give it a token ID, otherwise it does not know which to sync. In the past if you named it, that was easy, but it does not seem to take description field as a token name. Guess I need to tell my users it is cut/paste time, or is there another option perhaps? Also, I was wondering, looking for a way to use both FreeOTP and yubikey and wondering if anyone has tried this and possible caveats? Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project