OTPOverRadius IPA vs Krb
Nathaniel McCallum
npmccallum at redhat.com
Wed Jun 19 14:43:26 EDT 2013
On Wed, 2013-06-12 at 00:28 -0700, Henry B. Hotz wrote:
> OK, so this isn't a question for Dimitri. How does one set the required "user string" with kadmin?
>
> Would it be
>
> kadmin.local: set_string smith at TEST.REALM otp "[{}]"
> kadmin.local:
Yes. However, you should be aware that you will also need to disable
other preauth mechs, or you are not likely to get the behavior you
desire. FreeIPA does this by returning 0 keys for the user with otp
enabled. You can do this manually for all users by disabling the plugins
in the KDC. There is currently no way to delete the keys for the user
without a KDB plugin.
Nathaniel
More information about the krbdev
mailing list