[Freeipa-devel] [PATCH] krb 1.12's OTP-Over-RADIUS
Martin Kosek
mkosek at redhat.com
Fri May 3 14:42:15 UTC 2013
On 05/03/2013 04:20 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 05/01/2013 03:33 PM, Nathaniel McCallum wrote:
>>> Below is my first stab at ACLs. They don't actually work right, but I'm not
>>> sure what I've done wrong. The basic gist is that nobody gets any
>>> permissions by default. Admins get full permissions and users get limited
>>> permissions for their own tokens. Any help would be appreciated.
>>
>> We have an ACI allowing read access to all attributes or trees that were not
>> forbidden:
>>
>> aci: (target != "ldap:///idnsname=*,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
>> om")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sam
>> baNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaN
>> TTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anony
>> mous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
>>
>> If you want to hide some attributes from regular users and only allow them to
>> be read by admins, you need to extend targetattr list. This can be done in
>> ipaserver/install/plugins/update_anonymous_aci.py.
>>
>>>
>>> Nathaniel
>>>
>>> dn: $SUFFIX
>>> changetype: modify
>>> add: aci
>>> aci: (targetattrs = "ipatokenRadiusConfigLink ||
>>> ipatokenRadiusUserName")(version 3.0; acl "RADIUS user configuration is
>>> priviledged"; deny (all) userdn = "ldap:///all";)
>>> aci: (targetattrs = "ipatokenRadiusConfigLink ||
>>> ipatokenRadiusUserName")(version 3.0; acl "Admins can manage RADIUS user
>>> configuration"; allow (all)
>>> groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
>>
>> deny rule will override the allow rule so this won't allow admins to do
>> anything. Couldn't we just add ipatokenRadiusConfigLink and
>> ipatokenRadiusUserName to the global ACI blacklist above? Then you could delete
>> both ACIs. Admins read&write access is already allowed by this ACI:
>>
>> aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sam
>> baNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonica
>> lName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration |
>> | krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPw
>> dHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLas
>> tSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId ||
>> memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Ad
>> min can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups
>> ,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com";)
>>
>>> aci: (targetfilter =
>>> "(objectClass=ipatokenRadiusConfiguration)")(targetattrs = "*")(version 3.0;
>>> acl "RADIUS configuration is priviledged"; deny (all) userdn = "ldap:///all";)
>>> aci: (targetfilter =
>>> "(objectClass=ipatokenRadiusConfiguration)")(targetattrs = "*")(version 3.0;
>>> acl "Admins can manage RADIUS configuration"; allow (all) groupdn =
>>> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
>>
>> This won't work from the reasons above. Maybe we should add
>>
>> (targetfilter != "(objectClass=ipatokenRadiusConfiguration)")
>>
>> to the global ACI?
>>
>>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "*")(version
>>> 3.0; acl "Token configuration is priviledged"; deny (all) userdn =
>>> "ldap:///all";)
>>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "*")(version
>>> 3.0; acl "Admins can manage token configuration"; allow (all) groupdn =
>>> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
>>
>> We would just update global ACI.
>>
>>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs =
>>> "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore ||
>>> ipatokenNotAfter || ipatokenVendor || ipatokenModel ||
>>> ipatokenSerial")(version 3.0; acl "Users can read/add basic token info";
>>> allow (read, add, search, compare) userattr = "ipatokenOwner#USERDN";)
>>
>> Looks ok.
>>
>>> aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs =
>>> "*")(version 3.0; acl "TOTP Token configuration is priviledged"; deny (all)
>>> userdn = "ldap:///all";)
>>> aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs =
>>> "*")(version 3.0; acl "Admins can manage TOTP token configuration"; allow
>>> (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
>>
>> We would just update global ACI.
>>
>>> aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs =
>>> "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits ||
>>> ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users
>>> can add TOTP token secrets"; allow (add, search) userattr =
>>> "ipatokenOwner#USERDN";)
>>
>> Looks ok.
>>
>> Rob, Simo - does this proposal seams reasonable?
>
> Yes, this is the direction I've been moving this morning, doing some
> experimentation now using targetfilter. I'l be happy if we can avoid adding all
> these attributes to the global ACI.
>
> rob
>
Not sure if we can avoid it though given our current ACI allowing access to
anything that is not blacklisted in it. I think that update global ACI should
look like that:
aci: (target !=
"ldap:///idnsname=*,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com")(targetattr
!= "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword ||
passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing
|| ipaNTTrustAuthIncoming || ipatokenRadiusConfigLink ||
ipatokenRadiusUserName")(targetfilter =
"(&(objectClass!=ipatokenRadiusConfiguration)(objectClass!=ipaToken)(objectClass!=ipatokenTOTP))")(version
3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn =
"ldap:///anyone";)
I agree this is getting awkward, in this we will need to change the ACI
structure. There is already an open ticket for that:
https://fedorahosted.org/freeipa/ticket/3566
Martin
More information about the Freeipa-devel
mailing list