Hello everybody,
First thank you for the great software and this support list!
I got a few questions:
version that I am using: ipa-server-4.6.4-10.el7.centos.2.x86_64
1) I need to be able to set the initial password and not have it changed or expired after I add the user. I need users to be able to login straight away. What configuration file or policy option? And where can I change this for all users?
2) I want to change the default timeout for the OTP token, when generated from the GUI? (I am aware about the option with the CLI)
Thank you in advance,
Kind regards,
Jelle de Jong
On to, 14 maalis 2019, Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
First thank you for the great software and this support list!
I got a few questions:
version that I am using: ipa-server-4.6.4-10.el7.centos.2.x86_64
- I need to be able to set the initial password and not have it
changed or expired after I add the user. I need users to be able to login straight away. What configuration file or policy option? And where can I change this for all users?
See https://www.freeipa.org/page/New_Passwords_Expired for explanation why it is done this way and how this works.
An excellent third-party extension for FreeIPA that allows password resets to be handled by users themselves is https://github.com/larrabee/freeipa-password-reset
If you need to keep initial passwords for the users, you may want to amend your procedure to create those passwords like described in this email: https://www.redhat.com/archives/freeipa-users/2012-June/msg00360.html
- I want to change the default timeout for the OTP token, when
generated from the GUI? (I am aware about the option with the CLI)
According to https://pagure.io/freeipa/issue/4402, ipatokentotptimestep is only visible for TOTP token type because it makes no sense for HOTP.
This means that if you choose TOTP token, you'll see the time step field. For CLI this will be the same -- for HOTP token type time step is ignored.
Hello everybody,
On 14/03/2019 15:08, Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
First thank you for the great software and this support list!
I got a few questions:
version that I am using: ipa-server-4.6.4-10.el7.centos.2.x86_64
- I need to be able to set the initial password and not have it changed
or expired after I add the user. I need users to be able to login straight away. What configuration file or policy option? And where can I change this for all users?
- I want to change the default timeout for the OTP token, when
generated from the GUI? (I am aware about the option with the CLI)
I think I need to clarify. I would like to configure the default interval policy for theOTP when generating an OTP on the GUI website.
So from the cli this is the way: ipa otptoken-add --owner=<user> --type=totp --interval=90
How do I configure a default interval for totp on the GUI?
Kind regards,
Jelle de Jong
Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
On 14/03/2019 15:08, Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
First thank you for the great software and this support list!
I got a few questions:
version that I am using: ipa-server-4.6.4-10.el7.centos.2.x86_64
- I need to be able to set the initial password and not have it
changed or expired after I add the user. I need users to be able to login straight away. What configuration file or policy option? And where can I change this for all users?
- I want to change the default timeout for the OTP token, when
generated from the GUI? (I am aware about the option with the CLI)
I think I need to clarify. I would like to configure the default interval policy for theOTP when generating an OTP on the GUI website.
So from the cli this is the way: ipa otptoken-add --owner=<user> --type=totp --interval=90
How do I configure a default interval for totp on the GUI?
The term default is confusing. Do you mean the value when no setting is provided or are you asking "How do I set the interval when adding a token?"
Is there not a field "Clock interval (seconds)" in your UI when adding a token?
rob
On 22/03/2019 13:58, Rob Crittenden wrote:
Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
On 14/03/2019 15:08, Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
First thank you for the great software and this support list!
I got a few questions:
version that I am using: ipa-server-4.6.4-10.el7.centos.2.x86_64
- I need to be able to set the initial password and not have it
changed or expired after I add the user. I need users to be able to login straight away. What configuration file or policy option? And where can I change this for all users?
- I want to change the default timeout for the OTP token, when
generated from the GUI? (I am aware about the option with the CLI)
I think I need to clarify. I would like to configure the default interval policy for theOTP when generating an OTP on the GUI website.
So from the cli this is the way: ipa otptoken-add --owner=<user> --type=totp --interval=90
How do I configure a default interval for totp on the GUI?
The term default is confusing. Do you mean the value when no setting is provided or are you asking "How do I set the interval when adding a token?"
Is there not a field "Clock interval (seconds)" in your UI when adding a token?
Thank you Rob for clarifying.
As admin user there is an "Clock interval (seconds)" field. As normal ipauser that can add his own TOTP token there is no "Clock interval (seconds)" field.
I want to set the default value for the "Clock interval (seconds)" when the user generates his TOTP own token. Where can I configure this value (at the moment it is 30 seconds).
The only fields available for the user are:
Time-based (TOTP) Counter-based (HOTP) Description
(can I disable HOTP somewhere as well for the ipauser.
Kind regards,
Jelle de Jong
Jelle de Jong wrote:
On 22/03/2019 13:58, Rob Crittenden wrote:
Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
On 14/03/2019 15:08, Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
First thank you for the great software and this support list!
I got a few questions:
version that I am using: ipa-server-4.6.4-10.el7.centos.2.x86_64
- I need to be able to set the initial password and not have it
changed or expired after I add the user. I need users to be able to login straight away. What configuration file or policy option? And where can I change this for all users?
- I want to change the default timeout for the OTP token, when
generated from the GUI? (I am aware about the option with the CLI)
I think I need to clarify. I would like to configure the default interval policy for theOTP when generating an OTP on the GUI website.
So from the cli this is the way: ipa otptoken-add --owner=<user> --type=totp --interval=90
How do I configure a default interval for totp on the GUI?
The term default is confusing. Do you mean the value when no setting is provided or are you asking "How do I set the interval when adding a token?"
Is there not a field "Clock interval (seconds)" in your UI when adding a token?
Thank you Rob for clarifying.
As admin user there is an "Clock interval (seconds)" field. As normal ipauser that can add his own TOTP token there is no "Clock interval (seconds)" field.
Right you are. There isn't a way for users to manage this currently.
I want to set the default value for the "Clock interval (seconds)" when the user generates his TOTP own token. Where can I configure this value (at the moment it is 30 seconds).
There is no way to change the default, it is hardcoded.
The only fields available for the user are:
Time-based (TOTP) Counter-based (HOTP) Description
(can I disable HOTP somewhere as well for the ipauser.
No.
rob
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Jelle de Jong -
Rob Crittenden