Hi Aurelien, > Yeah, but there is no API in IPA to do that (we did consider it when > writing the code). > I've been working on this issue yesterday, trying to find a > workaround, but my tests didn't give something usable. I've asked the > FreeIPA folks on IRC and they had no solution (but they had meetings, > so maybe later). There is an API to verify the token during LDAP bind. However, it only considers active and not disabled tokens. There is also an API to synchronize token values during LDAP bind. It also only looks into enabled tokens. So technically you can have something like: - create OTP token and mark it disabled - show OTP token configuration details to a user - ask user for this token validation: enter a password and a value - enable token - verify token - if verification fails, disable the token again > I've noticed that Christian proposed a possible (hackish) way of doing > it yesterday evening in the AAA channel, I'll try that on Monday. > > > Again, there is no API in IPA to do that. Christian suggested a > workaround where we could use a HOTP token to get a similar result, > however the user would still need to enroll the hotp token, so if they > can't enroll their TOTP or if it fails, there's little chance > enrolling the HOTP token will not fail as well. You can enroll that token automatically and disable it. -- / Alexander Bokovoy _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure