[Freeipa-devel] [PATCH 0069] Adds 389DS plugin to enforce UUID token IDs
Nathaniel McCallum
npmccallum at redhat.com
Mon Sep 22 14:02:01 UTC 2014
On Mon, 2014-09-22 at 09:50 -0400, Simo Sorce wrote:
> On Mon, 22 Sep 2014 10:34:54 +0200
> Martin Kosek <mkosek at redhat.com> wrote:
>
> > On 09/22/2014 09:33 AM, thierry bordaz wrote:
> > > Hello Nathaniel,
> > >
> > > Just a remark, in is_token if the entry is objectclass=ipaToken
> > > it returns without freeing the 'objectclass' char array.
> > >
> > > thanks
> > > thierry
> > >
> > > On 09/21/2014 09:07 PM, Nathaniel McCallum wrote:
> > >> Users that can rename the token (such as admins) can also create
> > >> non-UUID token names.
> > >>
> > >> https://fedorahosted.org/freeipa/ticket/4456
> > >>
> > >> NOTE: this patch is an alternate approach to my patch 0065. This
> > >> version has two main advantages compared to 0065:
> > >> 1. Permissions are more flexible (not tied to the admin group).
> > >> 2. Enforcement occurs at the DS-level
> > >>
> > >> It should also be noted that this patch does not enforce UUID
> > >> randomness, only syntax. Users can still specify a token ID so
> > >> long as it is in UUID format.
> > >>
> > >> Nathaniel
> >
> > I am still thinking we may be overcomplicating it. Why cannot we use
> > the similar UUID generation mechanism as we do for SUDO commands for
> > example:
> >
> > # ipa sudocmd-add barbar --all --raw
> > ---------------------------
> > Added Sudo Command "barbar"
> > ---------------------------
> > dn:
> > ipaUniqueID=3a96de14-4232-11e4-9d66-001a4a104ec9,cn=sudocmds,cn=sudo,dc=mkosek-fedora20,dc=test
> > sudocmd: barbar
> > ipaUniqueID: 3a96de14-4232-11e4-9d66-001a4a104ec9
> > objectClass: ipasudocmd
> > objectClass: ipaobject
> >
> > It lets DS generate&rename the object's DN when it finds out that the
> > ipaUniqueID is set to "autogenerate" (in baseldap.py). We could let
> > DS generate the UUID and only add the "autogenerate" keyword in
> > otptoken-add command.
> >
> > For authorization, we can simply allow users to only add tokens with
> > "autogenerate" ID, see my example here:
> >
> > http://www.redhat.com/archives/freeipa-devel/2014-September/msg00438.html
> >
> > Admin's or special privilege-owners would have more generous ACI
> > allowing other values than just "autogenerate".
> >
> > IMO, then the whole ipatoken-add mechanism would be a lot simpler and
> > we would not need a special DS plugin (unless we want regular users
> > to generate their own UUIDs instead of letting IPA DS to generate it
> > - which I do not think is the case).
>
> Good point Martin.
This is the avenue I first pursued. The problem is that the client has
no way to look up the DN after the entry is added. In the case of
sudocmd-add, the lookup is performed using the sudocmd attribute (see
sudocmd.get_dn()). We have no similar attribute in this case and the
lookup cannot be performed.
Nathaniel
More information about the Freeipa-devel
mailing list