[Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name
Ludwig Krispenz
lkrispen at redhat.com
Fri Oct 10 16:33:53 UTC 2014
>>>
>>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs =
>>> "objectclass || d
>>> escription || managedBy || ipatokenUniqueID ||
>>> ipatokenDisabled || ipatokenNo
>>> tBefore || ipatokenNotAfter || ipatokenVendor ||
>>> ipatokenModel || ipatokenSer
>>> ial || ipatokenOwner")(version 3.0; acl "*Users/managers
>>> can read basic token*
>>> info"; allow (read, search, compare) userattr =
>>> "ipatokenOwner#USERDN" or use
>>> rattr = "managedBy#USERDN";)
>>>
>>> ...
>>> [09/Oct/2014:21:34:59 -0400] NSACLPlugin - Processed
>>> attr:managedBy for
>>> entry:ipatokenuniqueid=bar,cn=otp,dc=example,dc=com
>>> [09/Oct/2014:21:34:59 -0400] NSACLPlugin - 1. Evaluating
>>> ALLOW aci(11) " "*Users/managers can read basic token info*""
>>> [09/Oct/2014:21:34:59 -0400] NSACLPlugin - Found READ SKIP
>>> in cache
>>> [09/Oct/2014:21:34:59 -0400] NSACLPlugin - 2. Evaluating
>>> ALLOW aci(19) " "Admin can manage any entry""
>>> [09/Oct/2014:21:34:59 -0400] NSACLPlugin - Found READ SKIP
>>> in cache
>>> [09/Oct/2014:21:34:59 -0400] NSACLPlugin - conn=29 op=1
>>> (main): Deny read on
>>> entry(ipatokenuniqueid=bar,cn=otp,dc=example,dc=com).attr(managedBy)
>>> to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci
>>> matched the subject by aci(19): aciname= "Admin can manage
>>> any entry", acidn="dc=example,dc=com"
>>> [09/Oct/2014:21:34:59 -0400] - process_read_entry_controls:
>>> access to entry not allowed
>>> (ipatokenuniqueid=bar,cn=otp,dc=example,dc=com)
>>>
>>> But for some reason, it evaluations of the READ access was not
>>> accepted.
>>>
>> the key is READ SKIP, looks like it is using cached evaluation of the
>> acis, where the aci did not apply. aci caching is ....
>
> Exact.
well, I think I've been a bit too fast, the READ SKIP is only logged
from the second attribute on, so caching was ok, but the wrong result
was cached. What really is strange is these lines:
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - 1. Evaluating ALLOW aci(11) "
"Users/managers can read basic token info""
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - Attr:ipatokenOwner
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - ACL info: userdnattr does not
allow ADD permission at level 0.
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - Returning UNDEFINED for
userdnattr evaluation.
why ADD, why UNDEFINED ?
> Now If I create two entries x/y and their associated ipatoken
> tokenX/tokenY and play updating
> x update tokenX then y updates tokenY
> x update tokenX then x updates tokenY
> y update tokenY then x updates tokenX
> ...
> each time I got the postread.
>
> Something curious going on that make ACL_EvalTestRights return
> something different that ACL_RES_ALLOW.
>
>>>
>>> Did you already open a ticket for this problem ?
>>>
>>> thanks
>>> thierry
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141010/77630e5b/attachment.htm>
More information about the Freeipa-devel
mailing list