Allow users to remove their last OTP token

See: fedora-infra/noggin#579 Signed-off-by: Christian Heimes <[email protected]>
tiran · Apr 13, 2021 · 178aff6 · 178aff6
1 parent 1459834
commit 178aff6
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -319,6 +319,12 @@ the moment we have about 120k users and we're hitting the default
 500k.
 
 
+## OTP Token
+
+The *IPA OTP Last Token* plugin is disabled to permit users to remove
+their last OTP token.
+
+
 ## License
 
 See file 'COPYING' for use and warranty information

diff --git a/updates/89-fas.update b/updates/89-fas.update
@@ -14,7 +14,6 @@ only:ipaUserAuthType: otp
 add:ipaUserObjectClasses: fasuser
 only:ipaUserSearchFields: uid,givenname,sn,mail,fasIRCNick
 
-
 # self-service permissions to allow users to modify their own mail address
 # and their own FAS attributes
 dn: $SUFFIX
@@ -110,5 +109,9 @@ add:aci: (targetattr = "memberUser")(targetfilter = "(&(objectclass=fasagreement
 dn: cn=config,cn=ldbm database,cn=plugins,cn=config
 replace: nsslapd-pagedlookthroughlimit:0::500000
 
+# Allow users to delete their last OTP token
+dn: cn=IPA OTP Last Token,cn=plugins,cn=config
+only:nsslapd-pluginenabled: off
+
 # Update Permissions (keep this at the bottom of the file)
 plugin: update_managed_permissions