[Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

Ludwig Krispenz lkrispen at redhat.com
Fri Oct 10 16:33:53 UTC 2014 

>>>
>>>         aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs =
>>>         "objectclass || d
>>>          escription || managedBy || ipatokenUniqueID ||
>>>         ipatokenDisabled || ipatokenNo
>>>          tBefore || ipatokenNotAfter || ipatokenVendor ||
>>>         ipatokenModel || ipatokenSer
>>>          ial || ipatokenOwner")(version 3.0; acl "*Users/managers
>>>         can read basic token*
>>>          info"; allow (read, search, compare) userattr =
>>>         "ipatokenOwner#USERDN" or use
>>>          rattr = "managedBy#USERDN";)
>>>
>>>         ...
>>>         [09/Oct/2014:21:34:59 -0400] NSACLPlugin - Processed
>>>         attr:managedBy for
>>>         entry:ipatokenuniqueid=bar,cn=otp,dc=example,dc=com
>>>         [09/Oct/2014:21:34:59 -0400] NSACLPlugin - 1. Evaluating
>>>         ALLOW aci(11) " "*Users/managers can read basic token info*""
>>>         [09/Oct/2014:21:34:59 -0400] NSACLPlugin - Found READ SKIP
>>>         in cache
>>>         [09/Oct/2014:21:34:59 -0400] NSACLPlugin - 2. Evaluating
>>>         ALLOW aci(19) " "Admin can manage any entry""
>>>         [09/Oct/2014:21:34:59 -0400] NSACLPlugin - Found READ SKIP
>>>         in cache
>>>         [09/Oct/2014:21:34:59 -0400] NSACLPlugin - conn=29 op=1
>>>         (main): Deny read on
>>>         entry(ipatokenuniqueid=bar,cn=otp,dc=example,dc=com).attr(managedBy)
>>>         to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci
>>>         matched the subject by aci(19): aciname= "Admin can manage
>>>         any entry", acidn="dc=example,dc=com"
>>>         [09/Oct/2014:21:34:59 -0400] - process_read_entry_controls:
>>>         access to entry not allowed
>>>         (ipatokenuniqueid=bar,cn=otp,dc=example,dc=com)
>>>
>>>     But for some reason, it evaluations of the READ access was not
>>>     accepted.
>>>
>> the key is READ SKIP, looks like it is using cached evaluation of the 
>> acis, where the aci did not apply. aci caching is ....
>
> Exact.
well, I think I've been a bit too fast, the READ SKIP is only logged 
from the second attribute on, so caching was ok, but the wrong result 
was cached. What really is strange is these lines:

[09/Oct/2014:21:34:58 -0400] NSACLPlugin - 1. Evaluating ALLOW aci(11) " 
"Users/managers can read basic token info""
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - Attr:ipatokenOwner
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - ACL info: userdnattr does not 
allow ADD permission at level 0.
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - Returning UNDEFINED for 
userdnattr evaluation.

why ADD, why UNDEFINED ?

> Now If I create two entries x/y and their associated ipatoken 
> tokenX/tokenY and play updating
> x update tokenX then y updates tokenY
> x update tokenX then x updates tokenY
> y update tokenY then x updates tokenX
> ...
> each time I got the postread.
>
> Something curious going on that make ACL_EvalTestRights return 
> something different that ACL_RES_ALLOW.
>
>>>
>>>     Did you already open a ticket for this problem ?
>>>
>>>     thanks
>>>     thierry
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141010/77630e5b/attachment.htm>

More information about the Freeipa-devel mailing list