9:29 a.m.
There have been a couple threads about this in this forum, but I have not been able to
make anything work from those threads. I have a group of non-admin users that I would
like to have able to manage OTP tokens for all users.
I have attempted to create a permission, and have assigned it to the users via a
privilege.
Here's the permission:
$ ipa permission-show test --all --raw
dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com
cn: test
ipapermright: all
ipapermincludedattr: ipatokentotptimestep
ipapermincludedattr: ipatokenotpalgorithm
ipapermincludedattr: ipatokentotpwatermark
ipapermincludedattr: ipatokenowner
ipapermincludedattr: ipatokenotpdigits
ipapermincludedattr: ipatokenuniqueid
ipapermincludedattr: ipatokentotpclockoffset
ipapermincludedattr: ipatokenotpkey
ipapermincludedattr: cn
ipapermincludedattr: ipatokenhotpsyncwindow
ipapermincludedattr: ipatokenhotpauthwindow
ipapermincludedattr: ipatokentotpsyncwindow
ipapermincludedattr: ipatokentotpauthwindow
ipapermbindruletype: permission
ipapermlocation: cn=otp,cn=etc,dc=ipa,dc=example,dc=com
ipapermtargetfilter: (objectclass=ipatokenotpconfig)
ipapermissiontype: SYSTEM
ipapermissiontype: V2
aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow ||
ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || ipatokenowner ||
ipatokentotpauthwindow || ipatokentotpclockoffset || ipatokentotpsyncwindow ||
ipatokentotptimestep || ipatokentotpwatermark || ipatokenuniqueid")(targetfilter =
"(objectclass=ipatokenotpconfig)")(version 3.0;acl
"permission:test";allow (all) groupdn =
"ldap:///cn=testrl,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";)
objectclass: top
objectclass: groupofnames
objectclass: ipapermission
objectclass: ipapermissionv2
(membership information removed from above output, but it shows the proper members)
When users with this permission attempt to see OTP tokens, they can only see their own
tokens.
Any ideas would be greatly appreciated.
4:11 p.m.
New subject: Permission to create and manage OTP Tokens for non-admin user
Russ Long via FreeIPA-users wrote:
There have been a couple threads about this in this forum, but I have
not been able to make anything work from those threads. I have a group of non-admin users
that I would like to have able to manage OTP tokens for all users.
I have attempted to create a permission, and have assigned it to the users via a
privilege.
Here's the permission:
$ ipa permission-show test --all --raw
dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com
cn: test
ipapermright: all
ipapermincludedattr: ipatokentotptimestep
ipapermincludedattr: ipatokenotpalgorithm
ipapermincludedattr: ipatokentotpwatermark
ipapermincludedattr: ipatokenowner
ipapermincludedattr: ipatokenotpdigits
ipapermincludedattr: ipatokenuniqueid
ipapermincludedattr: ipatokentotpclockoffset
ipapermincludedattr: ipatokenotpkey
ipapermincludedattr: cn
ipapermincludedattr: ipatokenhotpsyncwindow
ipapermincludedattr: ipatokenhotpauthwindow
ipapermincludedattr: ipatokentotpsyncwindow
ipapermincludedattr: ipatokentotpauthwindow
ipapermbindruletype: permission
ipapermlocation: cn=otp,cn=etc,dc=ipa,dc=example,dc=com
ipapermtargetfilter: (objectclass=ipatokenotpconfig)
ipapermissiontype: SYSTEM
ipapermissiontype: V2
aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow ||
ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || ipatokenowner ||
ipatokentotpauthwindow || ipatokentotpclockoffset || ipatokentotpsyncwindow ||
ipatokentotptimestep || ipatokentotpwatermark || ipatokenuniqueid")(targetfilter =
"(objectclass=ipatokenotpconfig)")(version 3.0;acl
"permission:test";allow (all) groupdn =
"ldap:///cn=testrl,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";)
objectclass: top
objectclass: groupofnames
objectclass: ipapermission
objectclass: ipapermissionv2
(membership information removed from above output, but it shows the proper members)
When users with this permission attempt to see OTP tokens, they can only see their own
tokens.
Any ideas would be greatly appreciated.
You need to add objectclass to the set of attributes.
This ACI is rather comprehensive. You'll want to consider the case of a
bad actor that would try to delete all tokens.
rob
7:15 a.m.
New subject: Permission to create and manage OTP Tokens for non-admin user
I will try this, thanks. Regarding the ACI, this is for a limited number of
not-full-admin users who are expected to be able to change/delete any otp token, but I
definitely appreciate the warning.
7:28 a.m.
New subject: Permission to create and manage OTP Tokens for non-admin user
Tried adding objectclass to the attrs, but it is entirely possible I did something
incorrect as the users are still unable to view other OTP tokens
Here's the current state of the policy:
$ ipa permission-show test --all --raw
dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com
cn: test
ipapermright: all
ipapermincludedattr: ipatokentotptimestep
ipapermincludedattr: ipatokenotpalgorithm
ipapermincludedattr: ipatokentotpwatermark
ipapermincludedattr: ipatokenowner
ipapermincludedattr: ipatokenotpdigits
ipapermincludedattr: ipatokenuniqueid
ipapermincludedattr: ipatokentotpclockoffset
ipapermincludedattr: ipatokenotpkey
ipapermincludedattr: cn
ipapermincludedattr: ipatokenhotpsyncwindow
ipapermincludedattr: ipatokenhotpauthwindow
ipapermincludedattr: ipatokentotpsyncwindow
ipapermincludedattr: ipatokentotpauthwindow
ipapermincludedattr: objectclass
ipapermbindruletype: permission
ipapermlocation: cn=otp,cn=etc,dc=ipa,dc=nab,dc=blueclouds,dc=io
ipapermtargetfilter: (objectclass=ipatokenotpconfig)
ipapermissiontype: SYSTEM
ipapermissiontype: V2
aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow ||
ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || ipatokenowner ||
ipatokentotpauthwindow || ipatokentotpclockoffset || ipatokentotpsyncwindow ||
ipatokentotptimestep || ipatokentotpwatermark || ipatokenuniqueid ||
objectclass")(targetfilter = "(objectclass=ipatokenotpconfig)")(version
3.0;acl "permission:test";allow (all) groupdn =
"ldap:///cn=testrl,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";)
objectclass: top
objectclass: groupofnames
objectclass: ipapermission
objectclass: ipapermissionv2
(Again, membership info has been removed, but shows the expected and proper members)
7:32 a.m.
New subject: Permission to create and manage OTP Tokens for non-admin user
Russ Long via FreeIPA-users wrote:
Tried adding objectclass to the attrs, but it is entirely possible I
did something incorrect as the users are still unable to view other OTP tokens
Here's the current state of the policy:
$ ipa permission-show test --all --raw
dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com
cn: test
ipapermright: all
ipapermincludedattr: ipatokentotptimestep
ipapermincludedattr: ipatokenotpalgorithm
ipapermincludedattr: ipatokentotpwatermark
ipapermincludedattr: ipatokenowner
ipapermincludedattr: ipatokenotpdigits
ipapermincludedattr: ipatokenuniqueid
ipapermincludedattr: ipatokentotpclockoffset
ipapermincludedattr: ipatokenotpkey
ipapermincludedattr: cn
ipapermincludedattr: ipatokenhotpsyncwindow
ipapermincludedattr: ipatokenhotpauthwindow
ipapermincludedattr: ipatokentotpsyncwindow
ipapermincludedattr: ipatokentotpauthwindow
ipapermincludedattr: objectclass
ipapermbindruletype: permission
ipapermlocation: cn=otp,cn=etc,dc=ipa,dc=nab,dc=blueclouds,dc=io
ipapermtargetfilter: (objectclass=ipatokenotpconfig)
ipapermissiontype: SYSTEM
ipapermissiontype: V2
aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow ||
ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || ipatokenowner ||
ipatokentotpauthwindow || ipatokentotpclockoffset || ipatokentotpsyncwindow ||
ipatokentotptimestep || ipatokentotpwatermark || ipatokenuniqueid ||
objectclass")(targetfilter = "(objectclass=ipatokenotpconfig)")(version
3.0;acl "permission:test";allow (all) groupdn =
"ldap:///cn=testrl,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";)
objectclass: top
objectclass: groupofnames
objectclass: ipapermission
objectclass: ipapermissionv2
(Again, membership info has been removed, but shows the expected and proper members)
Ah right, the objectclass IIRC is wrong too. I think it should be ipatoken.
The default token ACIs sit in $SUFFIX and not under
cn=otp,cn=etc,dc=ipa. I don't think that makes a fundamental difference
but it might.
rob
8:16 a.m.
New subject: Permission to create and manage OTP Tokens for non-admin user
Thanks again Rob for the help, the below permission is now working properly.
$ ipa permission-show test --all --raw
dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com
cn: test
ipapermright: all
ipapermincludedattr: ipatokentotptimestep
ipapermincludedattr: ipatokenotpalgorithm
ipapermincludedattr: ipatokentotpwatermark
ipapermincludedattr: ipatokenowner
ipapermincludedattr: ipatokenotpdigits
ipapermincludedattr: ipatokenuniqueid
ipapermincludedattr: ipatokentotpclockoffset
ipapermincludedattr: ipatokenotpkey
ipapermincludedattr: cn
ipapermincludedattr: ipatokenhotpsyncwindow
ipapermincludedattr: ipatokenhotpauthwindow
ipapermincludedattr: ipatokentotpsyncwindow
ipapermincludedattr: ipatokentotpauthwindow
ipapermincludedattr: objectclass
ipapermbindruletype: permission
ipapermlocation: dc=ipa,dc=example,dc=com
ipapermtargetfilter: (objectclass=ipatoken)
ipapermissiontype: SYSTEM
ipapermissiontype: V2
aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow ||
ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || ipatokenowner ||
ipatokentotpauthwindow || ipatokentotpclockoffset || ipatokentotpsyncwindow ||
ipatokentotptimestep || ipatokentotpwatermark || ipatokenuniqueid ||
objectclass")(targetfilter = "(objectclass=ipatoken)")(version 3.0;acl
"permission:test";allow (all) groupdn =
"ldap:///cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";)
objectclass: top
objectclass: groupofnames
objectclass: ipapermission
objectclass: ipapermissionv2
93
days inactive
94
days old
freeipa-users@lists.fedorahosted.org
5 comments
2 participants
participants (2)
-
Rob Crittenden -
Russ Long