Hi guys,
First of all, Thanks a lot for the tremendous work and efforts you’ve put in privacyIDEA! It’s such an awesome MFA system!
I’d like the new users,who have no tokens, to authenticate to the privacyIDEA webui using the userstore (their LDAP password in my case). Once a token is created, they should use their password + OTP token to authenticate.
Is it possible to set a period of time for how long users can only still their passwords before enforcing them to use their password + OTP token?
Thanks
Hi @codesmaker
welcome to the privacyIDEA community.
You could use the passthru policy and the logon mode privacyidea. This way a user, who has no token can authenticate with his ldap password. As soon as a user gets a token enrolled, he will have to authenticate with the OTP PIN (ldap password) and OTP value.
If you want the user to be able to login either with his OTP token or also with his LDAP password only, this would also be possible by enrolling a spass token to the user, that will authenticate the user with his LDAP password. Then, as the user gets an HOTP token, you can run a script handler, that set a validity period on the SPASS token. And finally you could have a handler, that deletes the token.
This is cool. We do such things in our special projects. 
Take a look at the script repo, to get an idea.
Hi @cornelinux,
Thanks a lot for your answer.
I tried it and it worked. The problem is that if a user doesn’t create an OTP token, he would still be able to authenticate against his LDAP password only. So the passthru policy would give a user a way to create his OTP token for the first time but if he chooses to ignore, he would still be able to authenticate. Is there a way to only apply the passthru policy for a certain amount of time? Just to let the new users to create their OTP tokens?
Cool stuff. I’ll also give the SPASS tokens a try.
Thanks
Hi @codesmaker
this is hard to tell. This is a conceptual aspect, that is hard to cover in this place.
You might work with validity periods of spass tokens.
You might delete the passthru policy after some time.
You might work with event handlers and script handlers.
This is deep into rollout scenarios where are a lot of different ways to handle this and which very much depends on your needs, your workflows, your user structure, your user expectations, your helpdesk…
Hi @cornelinux,
OK. I thought it could be made out of the box and I just missed a setting or something.
Thanks a lot for the great explanation and tips.
1 Like