[Freeipa-devel] [PATCH] krb 1.12's OTP-Over-RADIUS

Rob Crittenden rcritten at redhat.com
Fri May 3 14:20:45 UTC 2013 

Martin Kosek wrote:
> On 05/01/2013 03:33 PM, Nathaniel McCallum wrote:
>> Below is my first stab at ACLs. They don't actually work right, but I'm not sure what I've done wrong. The basic gist is that nobody gets any permissions by default. Admins get full permissions and users get limited permissions for their own tokens. Any help would be appreciated.
>
> We have an ACI allowing read access to all attributes or trees that were not
> forbidden:
>
> aci: (target != "ldap:///idnsname=*,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
>   om")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sam
>   baNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaN
>   TTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anony
>   mous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
>
> If you want to hide some attributes from regular users and only allow them to
> be read by admins, you need to extend targetattr list. This can be done in
> ipaserver/install/plugins/update_anonymous_aci.py.
>
>>
>> Nathaniel
>>
>> dn: $SUFFIX
>> changetype: modify
>> add: aci
>> aci: (targetattrs = "ipatokenRadiusConfigLink || ipatokenRadiusUserName")(version 3.0; acl "RADIUS user configuration is priviledged"; deny (all) userdn = "ldap:///all";)
>> aci: (targetattrs = "ipatokenRadiusConfigLink || ipatokenRadiusUserName")(version 3.0; acl "Admins can manage RADIUS user configuration"; allow (all) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
>
> deny rule will override the allow rule so this won't allow admins to do
> anything. Couldn't we just add ipatokenRadiusConfigLink and
> ipatokenRadiusUserName to the global ACI blacklist above? Then you could delete
> both ACIs. Admins read&write access is already allowed by this ACI:
>
> aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sam
>   baNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonica
>   lName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration |
>   | krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPw
>   dHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLas
>   tSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId ||
>    memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Ad
>   min can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups
>   ,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com";)
>
>> aci: (targetfilter = "(objectClass=ipatokenRadiusConfiguration)")(targetattrs = "*")(version 3.0; acl "RADIUS configuration is priviledged"; deny (all) userdn = "ldap:///all";)
>> aci: (targetfilter = "(objectClass=ipatokenRadiusConfiguration)")(targetattrs = "*")(version 3.0; acl "Admins can manage RADIUS configuration"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
>
> This won't work from the reasons above. Maybe we should add
>
> (targetfilter != "(objectClass=ipatokenRadiusConfiguration)")
>
> to the global ACI?
>
>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "*")(version 3.0; acl "Token configuration is priviledged"; deny (all) userdn = "ldap:///all";)
>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "*")(version 3.0; acl "Admins can manage token configuration"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
>
> We would just update global ACI.
>
>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read/add basic token info"; allow (read, add, search, compare) userattr = "ipatokenOwner#USERDN";)
>
> Looks ok.
>
>> aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "*")(version 3.0; acl "TOTP Token configuration is priviledged"; deny (all) userdn = "ldap:///all";)
>> aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "*")(version 3.0; acl "Admins can manage TOTP token configuration"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
>
> We would just update global ACI.
>
>> aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (add, search) userattr = "ipatokenOwner#USERDN";)
>
> Looks ok.
>
> Rob, Simo - does this proposal seams reasonable?

Yes, this is the direction I've been moving this morning, doing some 
experimentation now using targetfilter. I'l be happy if we can avoid 
adding all these attributes to the global ACI.

rob

More information about the Freeipa-devel mailing list