On 10/09/2014 06:53 PM, Nathaniel McCallum wrote:
On Thu, 2014-10-09 at 18:38 +0200, Ludwig Krispenz wrote:
On 10/09/2014 06:32 PM, thierry bordaz wrote:
On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:
On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:
On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:

The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users (not
very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying access
to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID
Hello Nathaniel,

          The post read control needs access to the modified entry to
          return it.
          This access is granted at the condition, the binddn can access
          attributes.
Agreed and understood.

          My understanding is that the target entry is
ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
and the binddn "uid=otp,cn=users,cn=accounts,dc=example,dc=com".
Correct.

          The only ACI I found that match this target is:
          aci: (targetfilter = "(objectClass=ipaToken)")
          (targetattrs = "objectclass || description || managedBy ||
ipatokenUniqueID || ipatokenDisabled
           || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor
|| ipatokenModel || ipatokenSerial || ipatokenOwner")
          (version 3.0; acl "Users/managers can read basic token
info"; allow (read, search, compare) userattr =
"ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";)
Correct.

          Do you know if the target entry has 'ipatokenOwner' or
          'managedBy' with the binddn value ?
Yes, both. So why is access to objectClass (et cetera) being denied?
Good question...
+1
could you post the full aci logging not only the summary for the access
to the attributes ?
Attached.
this doesn't look like full acl logging, did you set errorlog-level to include 128 ?

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to