This patch is independent from my patches 0028-0031 and can be merged in
any order.
This patch has a bug, but I can't figure it out. We need to set
nsslapd-access-userattr-strict on cn=config to "off". However, during
the rpm installation, I get this error:
DEBUG Unhandled LDAPError: UNWILLING_TO_PERFORM: {'info': 'Deleting
attributes is not allowed', 'desc': 'Server is unwilling to perform'}
ERROR Update failed: Server is unwilling to perform: Deleting attributes
is not allowed
I'm not sure what is causing this. Does anyone have any suggestions?
Nathaniel
>From b251a89a77f3ca2bbb639b46e83902cd1af691c6 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <[email protected]>
Date: Tue, 7 Jan 2014 15:23:07 -0500
Subject: [PATCH] Update ACIs to permit users to add/delete their own tokens
---
freeipa.spec.in | 6 +++---
install/share/default-aci.ldif | 1 +
install/updates/10-config.update | 5 +++++
install/updates/40-otp.update | 1 +
4 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6629f6a65551397965d1634ea641a3becbb085a5..bebe94028dafee12a9698fff19843750ab5b72f7 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -21,7 +21,7 @@ Source0: freeipa-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel >= 1.3.1.3
+BuildRequires: 389-ds-base-devel >= 1.3.2.10
BuildRequires: svrcore-devel
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
BuildRequires: systemd-units
@@ -96,7 +96,7 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.1.3
+Requires: 389-ds-base >= 1.3.2.10
Requires: openldap-clients > 2.4.35-4
%if 0%{?fedora} == 18
Requires: nss >= 3.14.3-2
@@ -152,7 +152,7 @@ Requires: zip
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.1.3
+Requires(pre): 389-ds-base >= 1.3.2.10
# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
# entire SELinux policy is stored in the system policy
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 510ea32848ef0f51aaaaf67d8cca3e3c14351a4f..1e0c21eec5ee0b3719cc09921f231743134908f9 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -103,3 +103,4 @@ add: aci
aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)
aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)
aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)
+aci: (target = "ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX";)(targetfilter = "(objectClass=ipaToken)")(version 3.0; acl "Users can create and delete tokens"; allow (add, delete) userattr = "ipatokenOwner#USERDN";)
diff --git a/install/updates/10-config.update b/install/updates/10-config.update
index 1512b3601bcb2337392b82bf54f540cd48ee8382..f7e8c2126cd1cee631edfe42060552042a52bbb2 100644
--- a/install/updates/10-config.update
+++ b/install/updates/10-config.update
@@ -63,3 +63,8 @@ addifnew:nsSaslMapPriority: 10
# Can be removed when https://fedorahosted.org/389/ticket/47457 is fixed
dn: cn=config
only:nsslapd-sasl-max-buffer-size:2097152
+
+# Disable userattr strict mode. This is primarily for OTP where users
+# need to add objects that point to themselves. Requires 389ds >= 1.3.2.10.
+dn: cn=config
+only:nsslapd-access-userattr-strict: off
diff --git a/install/updates/40-otp.update b/install/updates/40-otp.update
index 83dfab7c03bfeb121756410d79143c3812146de6..1204d30a594bcf5a50db6a9b07343e80846d3560 100644
--- a/install/updates/40-otp.update
+++ b/install/updates/40-otp.update
@@ -7,6 +7,7 @@ dn: $SUFFIX
add: aci:'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)'
add: aci:'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)'
add: aci:'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)'
+add: aci:'(target = "ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX";)(targetfilter = "(objectClass=ipaToken)")(version 3.0; acl "Users can create and delete tokens"; allow (add, delete) userattr = "ipatokenOwner#USERDN";)'
dn: cn=radiusproxy,$SUFFIX
default: objectClass: nsContainer
--
1.8.4.2
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
