[Freeipa-users] Re: Permission to create and manage OTP Tokens for non-admin user

Thu, 08 Feb 2024 05:29:07 -0800 

Tried adding objectclass to the attrs, but it is entirely possible I did 
something incorrect as the users are still unable to view other OTP tokens

Here's the current state of the policy:

$ ipa permission-show test --all --raw
  dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com
  cn: test
  ipapermright: all
  ipapermincludedattr: ipatokentotptimestep
  ipapermincludedattr: ipatokenotpalgorithm
  ipapermincludedattr: ipatokentotpwatermark
  ipapermincludedattr: ipatokenowner
  ipapermincludedattr: ipatokenotpdigits
  ipapermincludedattr: ipatokenuniqueid
  ipapermincludedattr: ipatokentotpclockoffset
  ipapermincludedattr: ipatokenotpkey
  ipapermincludedattr: cn
  ipapermincludedattr: ipatokenhotpsyncwindow
  ipapermincludedattr: ipatokenhotpauthwindow
  ipapermincludedattr: ipatokentotpsyncwindow
  ipapermincludedattr: ipatokentotpauthwindow
  ipapermincludedattr: objectclass
  ipapermbindruletype: permission
  ipapermlocation: cn=otp,cn=etc,dc=ipa,dc=nab,dc=blueclouds,dc=io
  ipapermtargetfilter: (objectclass=ipatokenotpconfig)
  ipapermissiontype: SYSTEM
  ipapermissiontype: V2
  aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow || 
ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || ipatokenowner || 
ipatokentotpauthwindow || ipatokentotpclockoffset || ipatokentotpsyncwindow || 
ipatokentotptimestep || ipatokentotpwatermark || ipatokenuniqueid || 
objectclass")(targetfilter = "(objectclass=ipatokenotpconfig)")(version 3.0;acl 
"permission:test";allow (all) groupdn = 
"ldap:///cn=testrl,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";;)
  objectclass: top
  objectclass: groupofnames
  objectclass: ipapermission
  objectclass: ipapermissionv2

(Again, membership info has been removed, but shows the expected and proper 
members)
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to