[Freeipa-devel] Proposal for #4456 -- Regular users should not be able to add OTP tokens with custom name
Nathaniel McCallum
npmccallum at redhat.com
Tue Aug 19 21:10:48 UTC 2014
Admins need the ability to specify the token ID in the case of imports.
However, generally, this ability is not needed.
Is it possible to offload the ID generation to the ipa-uuid plugin? I'm
not quite sure how to enable this (I think it involves passing a magic
value?). But I'm not quite sure how this fits in with the IPA framework
as the generated value is the DN.
However, assuming this can be used, I propose the following. The token
ID is removed from the UI for regular users (but retained for admins).
We change the ACIs for token addition/modification to prevent regular
users from specifying the ID in an add or mod operation. The CLI would
retain the option to set it, but this option would only be usable by
admins.
Make sense?
More information about the Freeipa-devel
mailing list