[Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

Nathaniel McCallum npmccallum at redhat.com
Thu Oct 9 16:27:55 UTC 2014 

On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:
> On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:
> 
> > The background of this email is this bug:
> > https://fedorahosted.org/freeipa/ticket/4456
> > 
> > Attached are two patches which solve this issue for admin users (not
> > very helpful, I know). They depend on this fix in 389:
> > https://fedorahosted.org/389/ticket/47920
> > 
> > There are two outstanding issues:
> > 
> > 1. 389 does not send the post read control for normal users. The
> > operation itself succeeds, but no control is sent.
> > 
> > The relevant sections from the log are attached. 389 is denying access
> > to the following attributes (* = valid, ! = invalid):
> > ! objectClass
> > ! ipatokenOTPalgorithm
> > ! ipatokenOTPdigits
> > * ipatokenOTPkey
> > * ipatokenHOTPcounter
> > ! ipatokenOwner
> > ! managedBy
> > ! ipatokenUniqueID
> Hello Nathaniel,
> 
>         The post read control needs access to the modified entry to
>         return it.
>         This access is granted at the condition, the binddn can access
>         attributes.

Agreed and understood.

>         My understanding is that the target entry is
>         ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com and the binddn "uid=otp,cn=users,cn=accounts,dc=example,dc=com".

Correct.

>         The only ACI I found that match this target is:
>         aci: (targetfilter = "(objectClass=ipaToken)")
>         (targetattrs = "objectclass || description || managedBy || ipatokenUniqueID || ipatokenDisabled 
>          || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial || ipatokenOwner")
>         (version 3.0; acl "Users/managers can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";)

Correct.

>         Do you know if the target entry has 'ipatokenOwner' or
>         'managedBy' with the binddn value ?

Yes, both. So why is access to objectClass (et cetera) being denied?

> > The ACIs allowing access to most of these attributes are here:
> > https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90
> > 
> > Note that I am able to query the entry just fine (including all the
> > above invalidly restricted attributes). Hence, I know the ACIs are
> > working just fine.
> > 
> > Part of the strange thing is that in the post read control request, I
> > haven't indicated that I want *any* attributes returned (i.e. I want
> > just the DN). So I'm not sure why it is querying all the attributes. I
> > would suspect that the proper behavior would be to only check the ACIs
> > on attributes that will actually be returned.
>         It may not querying all attributes, but just search the first
>         one it can read.
>         As it finds none of them you get the message for all
>         attributes.

Right, but why iterate through all possible attributes? It should only
iterate through the attributes requested. Whether the user can read a
non-requested attribute or not is irrelevant because the attribute was
not requested.

More information about the Freeipa-devel mailing list