There have been a couple threads about this in this forum, but I have not been able to make anything work from those threads. I have a group of non-admin users that I would like to have able to manage OTP tokens for all users.
I have attempted to create a permission, and have assigned it to the users via a privilege.
Here's the permission: $ ipa permission-show test --all --raw dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com cn: test ipapermright: all ipapermincludedattr: ipatokentotptimestep ipapermincludedattr: ipatokenotpalgorithm ipapermincludedattr: ipatokentotpwatermark ipapermincludedattr: ipatokenowner ipapermincludedattr: ipatokenotpdigits ipapermincludedattr: ipatokenuniqueid ipapermincludedattr: ipatokentotpclockoffset ipapermincludedattr: ipatokenotpkey ipapermincludedattr: cn ipapermincludedattr: ipatokenhotpsyncwindow ipapermincludedattr: ipatokenhotpauthwindow ipapermincludedattr: ipatokentotpsyncwindow ipapermincludedattr: ipatokentotpauthwindow ipapermbindruletype: permission ipapermlocation: cn=otp,cn=etc,dc=ipa,dc=example,dc=com ipapermtargetfilter: (objectclass=ipatokenotpconfig) ipapermissiontype: SYSTEM ipapermissiontype: V2 aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow || ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || ipatokenowner || ipatokentotpauthwindow || ipatokentotpclockoffset || ipatokentotpsyncwindow || ipatokentotptimestep || ipatokentotpwatermark || ipatokenuniqueid")(targetfilter = "(objectclass=ipatokenotpconfig)")(version 3.0;acl "permission:test";allow (all) groupdn = "ldap:///cn=testrl,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";) objectclass: top objectclass: groupofnames objectclass: ipapermission objectclass: ipapermissionv2
(membership information removed from above output, but it shows the proper members)
When users with this permission attempt to see OTP tokens, they can only see their own tokens.
Any ideas would be greatly appreciated.