Is there an API endpoint I can use to perform OTP verification without the users password (i.e. just with their DN or uid)?
I've got a non-web application with its own authentication system that I'd like to add MFA to, and I'd rather avoid copying the OTP secrets to it or re-writing the application.
Adam Bishop via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Is there an API endpoint I can use to perform OTP verification without the users password (i.e. just with their DN or uid)?
I've got a non-web application with its own authentication system that I'd like to add MFA to, and I'd rather avoid copying the OTP secrets to it or re-writing the application.
Not by default. IPA isn't a full RADIUS responder, but ipa-otpd speaks enough of the protocol to verify the concatenation of password + OTP code. It accomplishes this by performing an LDAP bind, for which it needs the user's password. This information isn't otherwise exposed.
Thanks, --Robbie
freeipa-users@lists.fedorahosted.org