[Freeipa-users] Re: Creating permission to manage OTP Tokens

Mon, 14 Aug 2023 09:36:53 -0700 

On 14/08/2023 14.11, spike via FreeIPA-users wrote:

On 14.08.23 13:52, Christian Heimes via FreeIPA-users wrote:

On 14/08/2023 07.37, spike via FreeIPA-users wrote:

Hi,

I've been trying to create a permission to allow certain users to manipulate 
all OTP Tokens. I found a post to this list from 2017 describing pretty much 
exactly what I want to do: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/BG263EADXJOSCQBY3Q7WFXGPIZSXV5XK/

My permission object looks pretty much identical (at least I can't find any 
significant difference):

$ ipa permission-show --all --raw "OTP Key Management"
    dn: cn=OTP Key Management,cn=permissions,cn=pbac,dc=rise,dc=fx
    cn: OTP Key Management
    ipapermright: all
    ipapermincludedattr: ipatokenTOTPtimeStep
    ipapermincludedattr: ipatokenOwner
    ipapermincludedattr: ipatokenOTPdigits
    ipapermincludedattr: ipatokenUniqueID
    ipapermincludedattr: ipatokenTOTPclockOffset
    ipapermincludedattr: ipatokenOTPkey
    ipapermbindruletype: permission
    ipapermlocation: cn=otp,dc=example,dc=com

How did you create the permission? The IPA permission location is wrong. The 
suffix should match your domain components dc=rise,dc=fx.

That's just a failed attempt on my part to remove any actual domain 
information. In reality the suffix is the same.


Ah! :)
Then the issue is likely caused by missing objectClass. You have to give users permission to read the objectClass attribute, too. You are also missing a couple of attributes like ipatokenOTPalgorithm, ipatokenTOTPtimeStep, and ipatokenTOTPwatermark. You may also want to cover HOTP, which uses a different object class and attributes. 


--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security

Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to