A flaw was reported  in FreeIPA 4.0/4.1 where users could log in using only the OTP value. This arose because ipapwd_authentication() successfully determined that an empty password was invalid, but 389 itself would see this as an anonymous bind.
This will be fixed in the next release . As support for OTP is not available in earlier versions, only FreeIPA >= 4.0 is affected.
Red Hat would like to thank FreeIPA upstream for reporting this issue.
This issue did not affect the versions of IPA as shipped with Red Hat Enterprise Linux 5, 6, or 7 as they did not include support for OTP.