On 14/08/2023 14.11, spike via FreeIPA-users wrote:
On 14.08.23 13:52, Christian Heimes via FreeIPA-users wrote:
On 14/08/2023 07.37, spike via FreeIPA-users wrote:
Hi,
I've been trying to create a permission to allow certain users to manipulate
all OTP Tokens. I found a post to this list from 2017 describing pretty much
exactly what I want to do:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/BG263EADXJOSCQBY3Q7WFXGPIZSXV5XK/
My permission object looks pretty much identical (at least I can't find any
significant difference):
$ ipa permission-show --all --raw "OTP Key Management"
dn: cn=OTP Key Management,cn=permissions,cn=pbac,dc=rise,dc=fx
cn: OTP Key Management
ipapermright: all
ipapermincludedattr: ipatokenTOTPtimeStep
ipapermincludedattr: ipatokenOwner
ipapermincludedattr: ipatokenOTPdigits
ipapermincludedattr: ipatokenUniqueID
ipapermincludedattr: ipatokenTOTPclockOffset
ipapermincludedattr: ipatokenOTPkey
ipapermbindruletype: permission
ipapermlocation: cn=otp,dc=example,dc=com
How did you create the permission? The IPA permission location is wrong. The
suffix should match your domain components dc=rise,dc=fx.
That's just a failed attempt on my part to remove any actual domain
information. In reality the suffix is the same.
Ah! :)
Then the issue is likely caused by missing objectClass. You have to give
users permission to read the objectClass attribute, too. You are also
missing a couple of attributes like ipatokenOTPalgorithm,
ipatokenTOTPtimeStep, and ipatokenTOTPwatermark. You may also want to
cover HOTP, which uses a different object class and attributes.
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue