[Freeipa-devel] [PATCH 0065] Don't allow users to create tokens with a specified ID
Martin Kosek
mkosek at redhat.com
Mon Sep 22 07:23:02 UTC 2014
On 09/20/2014 10:22 PM, Nathaniel McCallum wrote:
> On Wed, 2014-09-17 at 12:31 +0200, Martin Kosek wrote:
>> On 09/17/2014 08:51 AM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> Dne 16.9.2014 v 19:32 Nathaniel McCallum napsal(a):
>>>> We perform this enforcement at the API level since:
>>>> * DS level enforcement would be difficult
>>>> * ipatokenUniqueID generation already happens at the API level
>>>>
>>>> It may be nice in the future to perform enforcement in the DS itself.
>>>> However, the question of the location of enforcement is largely an
>>>> aesthetic issue.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/4456
>>>
>>> That's a rather beefy check. I would prefer something like this (untested):
>>>
>>> group_dn = self.api.Object.group.get_dn(u'admins')
>>> filter = ldap.make_filter(
>>> {'krbprincipalname': context.principal, 'memberof': group_dn},
>>> ldap.MATCH_ALL)
>>> try:
>>> ldap.find_entries(
>>> base_dn=self.api.env.basedn, filter=filter, attrs_list=[''])
>>> except errors.NotFound:
>>> raise ValidationError(name='ipatokenuniqueid',
>>> error='can only be specified by admins')
>>>
>>> Honza
>>>
>>
>> Also, do we want to hard code it to admins group only?
>
> Preferably, no. But I don't have another workable solution.
>
>> Wouldn't it be more
>> flexible to create a new Virtual Operation and let realm admin configure who
>> can change the UID. See Jan's patch d6fb110b77e2c585f0bfc5eb11b0187a43263fa1
>> for an example how that's done.
>
> Modifications are already not permitted. The problem is that we need to
> restrict the format of an attribute for only some users on add only.
>
> Nathaniel
>
Hmm, however note that we have a mechanism to limit even the values of the
added object. See this example with groups.
This is the ACI:
# ipa permission-show "System: Add Groups" --all --raw | grep aci
aci: (targetfilter =
"(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl
"permission:System: Add Groups";allow (add) groupdn = "ldap:///cn=System: Add
Groups,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test";)
Now I add custom user with this ACI:
# ipa role-add test --desc test
# ipa role-add-privilege test --privileges 'Group Administrators'
# ipa role-add-member test --users fbar
Now I try to add LDAP object that does not fit the ACI:
# kinit fbar
# ldapadd -h `hostname` -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: fbar at MKOSEK-FEDORA20.TEST
SASL SSF: 56
SASL data security layer installed.
dn: cn=test,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
objectclass: nscontainer
objectclass: top
cn: test
adding new entry "cn=test,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test"
ldap_add: Insufficient access (50)
additional info: Insufficient 'add' privilege to add the entry
'cn=test,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test'.
Now the right one:
# ldapadd -h `hostname` -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: fbar at MKOSEK-FEDORA20.TEST
SASL SSF: 56
SASL data security layer installed.
dn: cn=test,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
objectclass: nscontainer
objectclass: top
objectclass: ipausergroup
cn: test
adding new entry "cn=test,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test"
Could we use that mechanism and only allow setting ipatokenUniqueID to "-1" so
that it is always generated for normal users? The attribute is single valued so
user should not be able to circumvent it with multiple values.
Martin
More information about the Freeipa-devel
mailing list