[Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name
Simo Sorce
simo at redhat.com
Fri Oct 10 15:46:47 UTC 2014
On Fri, 10 Oct 2014 17:38:46 +0200
Ludwig Krispenz <lkrispen at redhat.com> wrote:
>
> > https://fedorahosted.org/389/ticket/47924
> >
> >> is it possible to reproduce without IPA ?
> > Perhaps. You'd need the OTP schema and ACIs from FreeIPA, unless
> > you can find another way to reproduce it.
> well, did think about it again, we probaly also would need all the
> plugins, so could be difficult
Just a wild guess, for some reason the post-read evaluation is using
some cached evaluation of the add.
I think the key part here is that we *change* the DN which is key part
in determining the access control.
I wounder if you can reproduce in 389ds using the DNA plugin ?
Use the magic value to generate a number and use the value in the add
and read ACIs so that the ADD works only with the magic value.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list