You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using e-mail address as user name at login and performing multi-factor authentication such as HOTP by authentication chain, it is considered that the following settings are made.
Configure LDAP data store with uid as LDAP Users Search Attribute
Configure LDAP auth module with mail as Attributes Used to Search for a User to be Authenticated
Configure HOTP auth module
Configure auth chain with required modules LDAP + HOTP
Try the above auth chain
However, this configuration does not work. That's because what is passed as a username for HOTP authentication is an email address, and with this value HOTP authentication can not get the user from the data store.
The fix for OPENAM-4856 has been changed to use alias attribute. This is for only HOTP auth. Therefore, multiple authentication modules have the same problem.
The alias attribute allows multiple searches to identify users. Not only does this increase processing, I think that there is a risk of matching another user. We need a solution that does not use alias attributes.
Steps to reproduce
See Description.
Expected Results
HOTP authentication works fine.
Actual Results
Because HOTP authentication can not identify the user, it can not send one-time passwords.
Description
When using e-mail address as user name at login and performing multi-factor authentication such as HOTP by authentication chain, it is considered that the following settings are made.
uid
asLDAP Users Search Attribute
mail
asAttributes Used to Search for a User to be Authenticated
However, this configuration does not work. That's because what is passed as a username for HOTP authentication is an email address, and with this value HOTP authentication can not get the user from the data store.
The fix for OPENAM-4856 has been changed to use alias attribute. This is for only HOTP auth. Therefore, multiple authentication modules have the same problem.
The alias attribute allows multiple searches to identify users. Not only does this increase processing, I think that there is a risk of matching another user. We need a solution that does not use alias attributes.
Steps to reproduce
See Description.
Expected Results
HOTP authentication works fine.
Actual Results
Because HOTP authentication can not identify the user, it can not send one-time passwords.
References
The text was updated successfully, but these errors were encountered: