There have been a couple threads about this in this forum, but I have not been able to make anything work from those threads. I have a group of non-admin users that I would like to have able to manage OTP tokens for all users.
I have attempted to create a permission, and have assigned it to the users via a privilege.
Here's the permission: $ ipa permission-show test --all --raw dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com cn: test ipapermright: all ipapermincludedattr: ipatokentotptimestep ipapermincludedattr: ipatokenotpalgorithm ipapermincludedattr: ipatokentotpwatermark ipapermincludedattr: ipatokenowner ipapermincludedattr: ipatokenotpdigits ipapermincludedattr: ipatokenuniqueid ipapermincludedattr: ipatokentotpclockoffset ipapermincludedattr: ipatokenotpkey ipapermincludedattr: cn ipapermincludedattr: ipatokenhotpsyncwindow ipapermincludedattr: ipatokenhotpauthwindow ipapermincludedattr: ipatokentotpsyncwindow ipapermincludedattr: ipatokentotpauthwindow ipapermbindruletype: permission ipapermlocation: cn=otp,cn=etc,dc=ipa,dc=example,dc=com ipapermtargetfilter: (objectclass=ipatokenotpconfig) ipapermissiontype: SYSTEM ipapermissiontype: V2 aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow || ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || ipatokenowner || ipatokentotpauthwindow || ipatokentotpclockoffset || ipatokentotpsyncwindow || ipatokentotptimestep || ipatokentotpwatermark || ipatokenuniqueid")(targetfilter = "(objectclass=ipatokenotpconfig)")(version 3.0;acl "permission:test";allow (all) groupdn = "ldap:///cn=testrl,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";) objectclass: top objectclass: groupofnames objectclass: ipapermission objectclass: ipapermissionv2
(membership information removed from above output, but it shows the proper members)
When users with this permission attempt to see OTP tokens, they can only see their own tokens.
Any ideas would be greatly appreciated.
Russ Long via FreeIPA-users wrote:
There have been a couple threads about this in this forum, but I have not been able to make anything work from those threads. I have a group of non-admin users that I would like to have able to manage OTP tokens for all users.
I have attempted to create a permission, and have assigned it to the users via a privilege.
Here's the permission: $ ipa permission-show test --all --raw dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com cn: test ipapermright: all ipapermincludedattr: ipatokentotptimestep ipapermincludedattr: ipatokenotpalgorithm ipapermincludedattr: ipatokentotpwatermark ipapermincludedattr: ipatokenowner ipapermincludedattr: ipatokenotpdigits ipapermincludedattr: ipatokenuniqueid ipapermincludedattr: ipatokentotpclockoffset ipapermincludedattr: ipatokenotpkey ipapermincludedattr: cn ipapermincludedattr: ipatokenhotpsyncwindow ipapermincludedattr: ipatokenhotpauthwindow ipapermincludedattr: ipatokentotpsyncwindow ipapermincludedattr: ipatokentotpauthwindow ipapermbindruletype: permission ipapermlocation: cn=otp,cn=etc,dc=ipa,dc=example,dc=com ipapermtargetfilter: (objectclass=ipatokenotpconfig) ipapermissiontype: SYSTEM ipapermissiontype: V2 aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow || ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || ipatokenowner || ipatokentotpauthwindow || ipatokentotpclockoffset || ipatokentotpsyncwindow || ipatokentotptimestep || ipatokentotpwatermark || ipatokenuniqueid")(targetfilter = "(objectclass=ipatokenotpconfig)")(version 3.0;acl "permission:test";allow (all) groupdn = "ldap:///cn=testrl,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";) objectclass: top objectclass: groupofnames objectclass: ipapermission objectclass: ipapermissionv2
(membership information removed from above output, but it shows the proper members)
When users with this permission attempt to see OTP tokens, they can only see their own tokens.
Any ideas would be greatly appreciated.
You need to add objectclass to the set of attributes.
This ACI is rather comprehensive. You'll want to consider the case of a bad actor that would try to delete all tokens.
rob
I will try this, thanks. Regarding the ACI, this is for a limited number of not-full-admin users who are expected to be able to change/delete any otp token, but I definitely appreciate the warning.
Tried adding objectclass to the attrs, but it is entirely possible I did something incorrect as the users are still unable to view other OTP tokens
Here's the current state of the policy:
$ ipa permission-show test --all --raw dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com cn: test ipapermright: all ipapermincludedattr: ipatokentotptimestep ipapermincludedattr: ipatokenotpalgorithm ipapermincludedattr: ipatokentotpwatermark ipapermincludedattr: ipatokenowner ipapermincludedattr: ipatokenotpdigits ipapermincludedattr: ipatokenuniqueid ipapermincludedattr: ipatokentotpclockoffset ipapermincludedattr: ipatokenotpkey ipapermincludedattr: cn ipapermincludedattr: ipatokenhotpsyncwindow ipapermincludedattr: ipatokenhotpauthwindow ipapermincludedattr: ipatokentotpsyncwindow ipapermincludedattr: ipatokentotpauthwindow ipapermincludedattr: objectclass ipapermbindruletype: permission ipapermlocation: cn=otp,cn=etc,dc=ipa,dc=nab,dc=blueclouds,dc=io ipapermtargetfilter: (objectclass=ipatokenotpconfig) ipapermissiontype: SYSTEM ipapermissiontype: V2 aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow || ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || ipatokenowner || ipatokentotpauthwindow || ipatokentotpclockoffset || ipatokentotpsyncwindow || ipatokentotptimestep || ipatokentotpwatermark || ipatokenuniqueid || objectclass")(targetfilter = "(objectclass=ipatokenotpconfig)")(version 3.0;acl "permission:test";allow (all) groupdn = "ldap:///cn=testrl,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";) objectclass: top objectclass: groupofnames objectclass: ipapermission objectclass: ipapermissionv2
(Again, membership info has been removed, but shows the expected and proper members)
Russ Long via FreeIPA-users wrote:
Tried adding objectclass to the attrs, but it is entirely possible I did something incorrect as the users are still unable to view other OTP tokens
Here's the current state of the policy:
$ ipa permission-show test --all --raw dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com cn: test ipapermright: all ipapermincludedattr: ipatokentotptimestep ipapermincludedattr: ipatokenotpalgorithm ipapermincludedattr: ipatokentotpwatermark ipapermincludedattr: ipatokenowner ipapermincludedattr: ipatokenotpdigits ipapermincludedattr: ipatokenuniqueid ipapermincludedattr: ipatokentotpclockoffset ipapermincludedattr: ipatokenotpkey ipapermincludedattr: cn ipapermincludedattr: ipatokenhotpsyncwindow ipapermincludedattr: ipatokenhotpauthwindow ipapermincludedattr: ipatokentotpsyncwindow ipapermincludedattr: ipatokentotpauthwindow ipapermincludedattr: objectclass ipapermbindruletype: permission ipapermlocation: cn=otp,cn=etc,dc=ipa,dc=nab,dc=blueclouds,dc=io ipapermtargetfilter: (objectclass=ipatokenotpconfig) ipapermissiontype: SYSTEM ipapermissiontype: V2 aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow || ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || ipatokenowner || ipatokentotpauthwindow || ipatokentotpclockoffset || ipatokentotpsyncwindow || ipatokentotptimestep || ipatokentotpwatermark || ipatokenuniqueid || objectclass")(targetfilter = "(objectclass=ipatokenotpconfig)")(version 3.0;acl "permission:test";allow (all) groupdn = "ldap:///cn=testrl,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";) objectclass: top objectclass: groupofnames objectclass: ipapermission objectclass: ipapermissionv2
(Again, membership info has been removed, but shows the expected and proper members)
Ah right, the objectclass IIRC is wrong too. I think it should be ipatoken.
The default token ACIs sit in $SUFFIX and not under cn=otp,cn=etc,dc=ipa. I don't think that makes a fundamental difference but it might.
rob
Thanks again Rob for the help, the below permission is now working properly.
$ ipa permission-show test --all --raw dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com cn: test ipapermright: all ipapermincludedattr: ipatokentotptimestep ipapermincludedattr: ipatokenotpalgorithm ipapermincludedattr: ipatokentotpwatermark ipapermincludedattr: ipatokenowner ipapermincludedattr: ipatokenotpdigits ipapermincludedattr: ipatokenuniqueid ipapermincludedattr: ipatokentotpclockoffset ipapermincludedattr: ipatokenotpkey ipapermincludedattr: cn ipapermincludedattr: ipatokenhotpsyncwindow ipapermincludedattr: ipatokenhotpauthwindow ipapermincludedattr: ipatokentotpsyncwindow ipapermincludedattr: ipatokentotpauthwindow ipapermincludedattr: objectclass ipapermbindruletype: permission ipapermlocation: dc=ipa,dc=example,dc=com ipapermtargetfilter: (objectclass=ipatoken) ipapermissiontype: SYSTEM ipapermissiontype: V2 aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow || ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || ipatokenowner || ipatokentotpauthwindow || ipatokentotpclockoffset || ipatokentotpsyncwindow || ipatokentotptimestep || ipatokentotpwatermark || ipatokenuniqueid || objectclass")(targetfilter = "(objectclass=ipatoken)")(version 3.0;acl "permission:test";allow (all) groupdn = "ldap:///cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";) objectclass: top objectclass: groupofnames objectclass: ipapermission objectclass: ipapermissionv2
freeipa-users@lists.fedorahosted.org