[Freeipa-devel] [PATCH 0065] Don't allow users to create tokens with a specified ID

Martin Kosek mkosek at redhat.com
Mon Sep 22 15:37:14 UTC 2014


On 09/20/2014 10:22 PM, Nathaniel McCallum wrote:
> On Wed, 2014-09-17 at 12:31 +0200, Martin Kosek wrote:
>> On 09/17/2014 08:51 AM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> Dne 16.9.2014 v 19:32 Nathaniel McCallum napsal(a):
>>>> We perform this enforcement at the API level since:
>>>> * DS level enforcement would be difficult
>>>> * ipatokenUniqueID generation already happens at the API level
>>>>
>>>> It may be nice in the future to perform enforcement in the DS itself.
>>>> However, the question of the location of enforcement is largely an
>>>> aesthetic issue.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/4456
>>>
>>> That's a rather beefy check. I would prefer something like this (untested):
>>>
>>>     group_dn = self.api.Object.group.get_dn(u'admins')
>>>     filter = ldap.make_filter(
>>>         {'krbprincipalname': context.principal, 'memberof': group_dn},
>>>         ldap.MATCH_ALL)
>>>     try:
>>>         ldap.find_entries(
>>>             base_dn=self.api.env.basedn, filter=filter, attrs_list=[''])
>>>     except errors.NotFound:
>>>         raise ValidationError(name='ipatokenuniqueid',
>>>                               error='can only be specified by admins')
>>>
>>> Honza
>>>
>>
>> Also, do we want to hard code it to admins group only?
> 
> Preferably, no. But I don't have another workable solution.
> 
>> Wouldn't it be more
>> flexible to create a new Virtual Operation and let realm admin configure who
>> can change the UID. See Jan's patch d6fb110b77e2c585f0bfc5eb11b0187a43263fa1
>> for an example how that's done.
> 
> Modifications are already not permitted. The problem is that we need to
> restrict the format of an attribute for only some users on add only.
> 
> Nathaniel

Ah, that's a valid point. We need some way to get the modified DN after UUID
generation.

I discussed this issue briefly with Nathaniel and I had an idea. Doesn't DS
have a control for modification to return an updated object after ldapmodify?
Then we could trigger it, get the DN and work with that DN in the token plugin.
We do not need to make it super general in the framework right now, but we
could do at least some minimal version for the token use case.

Martin




More information about the Freeipa-devel mailing list