Russ Long via FreeIPA-users wrote:
Tried adding objectclass to the attrs, but it is entirely possible I
did something incorrect as the users are still unable to view other OTP tokens
Here's the current state of the policy:
$ ipa permission-show test --all --raw
dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com
cn: test
ipapermright: all
ipapermincludedattr: ipatokentotptimestep
ipapermincludedattr: ipatokenotpalgorithm
ipapermincludedattr: ipatokentotpwatermark
ipapermincludedattr: ipatokenowner
ipapermincludedattr: ipatokenotpdigits
ipapermincludedattr: ipatokenuniqueid
ipapermincludedattr: ipatokentotpclockoffset
ipapermincludedattr: ipatokenotpkey
ipapermincludedattr: cn
ipapermincludedattr: ipatokenhotpsyncwindow
ipapermincludedattr: ipatokenhotpauthwindow
ipapermincludedattr: ipatokentotpsyncwindow
ipapermincludedattr: ipatokentotpauthwindow
ipapermincludedattr: objectclass
ipapermbindruletype: permission
ipapermlocation: cn=otp,cn=etc,dc=ipa,dc=nab,dc=blueclouds,dc=io
ipapermtargetfilter: (objectclass=ipatokenotpconfig)
ipapermissiontype: SYSTEM
ipapermissiontype: V2
aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow ||
ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || ipatokenowner ||
ipatokentotpauthwindow || ipatokentotpclockoffset || ipatokentotpsyncwindow ||
ipatokentotptimestep || ipatokentotpwatermark || ipatokenuniqueid ||
objectclass")(targetfilter = "(objectclass=ipatokenotpconfig)")(version
3.0;acl "permission:test";allow (all) groupdn =
"ldap:///cn=testrl,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";)
objectclass: top
objectclass: groupofnames
objectclass: ipapermission
objectclass: ipapermissionv2
(Again, membership info has been removed, but shows the expected and proper members)
Ah right, the objectclass IIRC is wrong too. I think it should be ipatoken.
The default token ACIs sit in $SUFFIX and not under
cn=otp,cn=etc,dc=ipa. I don't think that makes a fundamental difference
but it might.
rob