On 14.08.23 18:36, Christian Heimes via FreeIPA-users wrote: > On 14/08/2023 14.11, spike via FreeIPA-users wrote: >> On 14.08.23 13:52, Christian Heimes via FreeIPA-users wrote: >>> On 14/08/2023 07.37, spike via FreeIPA-users wrote: >>>> I've been trying to create a permission to allow certain users to >>>> manipulate all OTP Tokens. I found a post to this list from 2017 >>>> describing pretty much exactly what I want to do: >>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/BG263EADXJOSCQBY3Q7WFXGPIZSXV5XK/ >>>> >>>> My permission object looks pretty much identical (at least I can't find >>>> any significant difference): >>>> >>>> $ ipa permission-show --all --raw "OTP Key Management" >>>> dn: cn=OTP Key Management,cn=permissions,cn=pbac,dc=rise,dc=fx >>>> cn: OTP Key Management >>>> ipapermright: all >>>> ipapermincludedattr: ipatokenTOTPtimeStep >>>> ipapermincludedattr: ipatokenOwner >>>> ipapermincludedattr: ipatokenOTPdigits >>>> ipapermincludedattr: ipatokenUniqueID >>>> ipapermincludedattr: ipatokenTOTPclockOffset >>>> ipapermincludedattr: ipatokenOTPkey >>>> ipapermbindruletype: permission >>>> ipapermlocation: cn=otp,dc=example,dc=com > > > Then the issue is likely caused by missing objectClass. You have to give > users permission to read the objectClass attribute, too.
Brilliant, that did it. Thanks so much! Cheers _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue