From Fedora Project Wiki

(Created page with "{{QA/Test_Case |description=Internal OTP. |setup= === Prerequisites === <ol> <li>A FreeIPA instance setup like this.</li> <li>Google Aut...")
 
Line 10: Line 10:
=== Preparation ===
=== Preparation ===


First, log in as the admin:
Log in as the admin:
 
  # kinit admin
  # kinit admin


Second, we will create a user for OTP testing:
Create a user for OTP testing:
 
  # ipa user-add otp --random
  # ipa user-add otp --random


Third, we need to log in as the new user. This will force a password change. This is important since OTP does not yet implement password changing.
Log in as the new user. This will force a password change. This is important since OTP does not yet implement password changing.
# kinit otp


# kinit otp
{{admon/note | Password | Remember the password you create! It is your first factor.}}


==== Enabling OTP ====
==== Enabling OTP ====


Log back in as the admin:
# kinit admin
{{admon/important | Maximize Your Terminal | Just do it. Otherwise your [http://en.wikipedia.org/wiki/QR_code QR Code] won't display properly.}}
Once your terminal is maximized, enable OTP for the user:
# ipa-testday-otp otp


This command, if successful will print a [http://en.wikipedia.org/wiki/QR_code QR Code] to the terminal. Before you do anything else, scan this code using Google Authenticator. This will create a new token in Google Authenticator which you can use to log in. At this point, the user 'otp' can only log in via two factors.


==== Enabling FAST ====
==== Enabling FAST ====

Revision as of 15:56, 31 May 2013

Description

Internal OTP.

Setup

Prerequisites

  1. A FreeIPA instance setup like this.
  2. Google Authenticator on your Android, iOS or Blackberry device.

How to test

Preparation

Log in as the admin:

# kinit admin

Create a user for OTP testing:

# ipa user-add otp --random

Log in as the new user. This will force a password change. This is important since OTP does not yet implement password changing.

# kinit otp
Note.png
Password
Remember the password you create! It is your first factor.

Enabling OTP

Log back in as the admin:

# kinit admin
Important.png
Maximize Your Terminal
Just do it. Otherwise your QR Code won't display properly.

Once your terminal is maximized, enable OTP for the user:

# ipa-testday-otp otp

This command, if successful will print a QR Code to the terminal. Before you do anything else, scan this code using Google Authenticator. This will create a new token in Google Authenticator which you can use to log in. At this point, the user 'otp' can only log in via two factors.

Enabling FAST

Clients which will support OTP, like SSSD, will enable FAST automatically. However, for testing purposes, kinit requires manual configuration.

First, we need to log in as the admin user (or really any user) so that we can use this user's ccache to enable FAST.

# kinit admin
# klist

Expected Results

All the test steps should end with the specified results.