Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Ludwig Krispenz]

        aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs =
        "objectclass || d
         escription || managedBy || ipatokenUniqueID ||
        ipatokenDisabled || ipatokenNo
         tBefore || ipatokenNotAfter || ipatokenVendor ||
        ipatokenModel || ipatokenSer
         ial || ipatokenOwner")(version 3.0; acl "*Users/managers
        can read basic token*
         info"; allow (read, search, compare) userattr =
        "ipatokenOwner#USERDN" or use
         rattr = "managedBy#USERDN";)

        ...
        [09/Oct/2014:21:34:59 -0400] NSACLPlugin - Processed
        attr:managedBy for
        entry:ipatokenuniqueid=bar,cn=otp,dc=example,dc=com
        [09/Oct/2014:21:34:59 -0400] NSACLPlugin - 1. Evaluating
        ALLOW aci(11) " "*Users/managers can read basic token info*""
        [09/Oct/2014:21:34:59 -0400] NSACLPlugin - Found READ SKIP
        in cache
        [09/Oct/2014:21:34:59 -0400] NSACLPlugin - 2. Evaluating
        ALLOW aci(19) " "Admin can manage any entry""
        [09/Oct/2014:21:34:59 -0400] NSACLPlugin - Found READ SKIP
        in cache
        [09/Oct/2014:21:34:59 -0400] NSACLPlugin - conn=29 op=1
        (main): Deny read on
        entry(ipatokenuniqueid=bar,cn=otp,dc=example,dc=com).attr(managedBy)
        to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci
        matched the subject by aci(19): aciname= "Admin can manage
        any entry", acidn="dc=example,dc=com"
        [09/Oct/2014:21:34:59 -0400] - process_read_entry_controls:
        access to entry not allowed
        (ipatokenuniqueid=bar,cn=otp,dc=example,dc=com)

    But for some reason, it evaluations of the READ access was not
    accepted.

the key is READ SKIP, looks like it is using cached evaluation of the 
acis, where the aci did not apply. aci caching is ....

Exact.
well, I think I've been a bit too fast, the READ SKIP is only logged 
from the second attribute on, so caching was ok, but the wrong result 
was cached. What really is strange is these lines:

[09/Oct/2014:21:34:58 -0400] NSACLPlugin - 1. Evaluating ALLOW aci(11) " 
"Users/managers can read basic token info""
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - Attr:ipatokenOwner
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - ACL info: userdnattr does not 
allow ADD permission at level 0.
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - Returning UNDEFINED for 
userdnattr evaluation.

why ADD, why UNDEFINED ?

Now If I create two entries x/y and their associated ipatoken 
tokenX/tokenY and play updating
x update tokenX then y updates tokenY
x update tokenX then x updates tokenY
y update tokenY then x updates tokenX
...
each time I got the postread.

Something curious going on that make ACL_EvalTestRights return 
something different that ACL_RES_ALLOW.


    Did you already open a ticket for this problem ?

    thanks
    thierry




_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel