[Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

Ludwig Krispenz lkrispen at redhat.com
Thu Oct 9 17:40:38 UTC 2014 

On 10/09/2014 06:53 PM, Nathaniel McCallum wrote:
> On Thu, 2014-10-09 at 18:38 +0200, Ludwig Krispenz wrote:
>> On 10/09/2014 06:32 PM, thierry bordaz wrote:
>>> On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:
>>>> On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:
>>>>> On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:
>>>>>
>>>>>> The background of this email is this bug:
>>>>>> https://fedorahosted.org/freeipa/ticket/4456
>>>>>>
>>>>>> Attached are two patches which solve this issue for admin users (not
>>>>>> very helpful, I know). They depend on this fix in 389:
>>>>>> https://fedorahosted.org/389/ticket/47920
>>>>>>
>>>>>> There are two outstanding issues:
>>>>>>
>>>>>> 1. 389 does not send the post read control for normal users. The
>>>>>> operation itself succeeds, but no control is sent.
>>>>>>
>>>>>> The relevant sections from the log are attached. 389 is denying access
>>>>>> to the following attributes (* = valid, ! = invalid):
>>>>>> ! objectClass
>>>>>> ! ipatokenOTPalgorithm
>>>>>> ! ipatokenOTPdigits
>>>>>> * ipatokenOTPkey
>>>>>> * ipatokenHOTPcounter
>>>>>> ! ipatokenOwner
>>>>>> ! managedBy
>>>>>> ! ipatokenUniqueID
>>>>> Hello Nathaniel,
>>>>>
>>>>>           The post read control needs access to the modified entry to
>>>>>           return it.
>>>>>           This access is granted at the condition, the binddn can access
>>>>>           attributes.
>>>> Agreed and understood.
>>>>
>>>>>           My understanding is that the target entry is
>>>>> ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
>>>>> and the binddn "uid=otp,cn=users,cn=accounts,dc=example,dc=com".
>>>> Correct.
>>>>
>>>>>           The only ACI I found that match this target is:
>>>>>           aci: (targetfilter = "(objectClass=ipaToken)")
>>>>>           (targetattrs = "objectclass || description || managedBy ||
>>>>> ipatokenUniqueID || ipatokenDisabled
>>>>>            || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor
>>>>> || ipatokenModel || ipatokenSerial || ipatokenOwner")
>>>>>           (version 3.0; acl "Users/managers can read basic token
>>>>> info"; allow (read, search, compare) userattr =
>>>>> "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";)
>>>> Correct.
>>>>
>>>>>           Do you know if the target entry has 'ipatokenOwner' or
>>>>>           'managedBy' with the binddn value ?
>>>> Yes, both. So why is access to objectClass (et cetera) being denied?
>>> Good question...
>> +1
>> could you post the full aci logging not only the summary for the access
>> to the attributes ?
> Attached.
this doesn't look like full acl logging, did you set errorlog-level to 
include 128 ?

More information about the Freeipa-devel mailing list