Sadly no, another person had been creating OTP tokens with the helpagent.


These were tokens owned by the helpagent, but with other user's names.


From: Aaron Hicks [] 
Sent: Thursday, 23 November 2017 4:00 PM
To: ''
Subject: RE: Creating a permission to manage OTP Tokens


Hello the list,


After ignoring things, this now _works_


$kinit helpagent

Password for <> :

$ ipa otptoken-find


2 OTP tokens matched


  Unique ID: otpuser1

  Type: TOTP

  Owner: otpuser1


  Unique ID: otpuser2

  Type: TOTP

  Owner: otpuser2


Number of entries returned 2



From: Aaron Hicks [] 
Sent: Thursday, 23 November 2017 10:45 AM
To: ''
<> >
Subject: Creating a permission to manage OTP Tokens


Hello the list,


We'd like to grant users with the helpdesk role the ability to manipulate
other user's OTP tokens. The minimum would be to add them, delete them, and
enable/disable them.


This is currently possible if an admin  sets a token's managedBy attribute
to the helpdesk user's DN. We don't want to grant our helpdesk agents admin


So, this is the permission I created:


$ ipa permission-show 'Manage OTP Tokens' --all --raw

  dn: cn=Manage OTP Tokens,cn=permissions,cn=pbac,dc=test,dc=org

  cn: Manage OTP Tokens

  ipapermright: all

  ipapermincludedattr: ipatokenOwner

  ipapermincludedattr: ipatokenUniqueID

  ipapermincludedattr: ipatokenOTPdigits

  ipapermincludedattr: ipatokenOTPkey

  ipapermincludedattr: ipatokenTOTPclockOffset

  ipapermincludedattr: ipatokenTOTPtimeStep

  ipapermbindruletype: permission

  ipapermlocation: cn=otp,dc=test,dc=org

  ipapermtargetfilter: (objectclass=ipaToken)

  ipapermissiontype: SYSTEM

  ipapermissiontype: V2

  aci: (targetattr = "ipatokenOTPdigits || ipatokenOTPkey || ipatokenOwner
|| ipatokenTOTPclockOffset || ipatokenTOTPtimeStep ||
ipatokenUniqueID")(targetfilter = "(objectclass=ipaToken)")(version 3.0;acl
"permission:Manage OTP Tokens";allow (all) groupdn = "ldap:///cn=Manage OTP

  member: cn=Manage OTP Token,cn=privileges,cn=pbac,dc=test,dc=org

  memberindirect: cn=helpdesk,cn=roles,cn=accounts,dc=test,dc=org

  memberindirect: uid=helpagent,cn=users,cn=accounts,dc=test,dc=org

  objectclass: top

  objectclass: groupofnames

  objectclass: ipapermission

  objectclass: ipapermissionv2


However this does not work:


$ kinit helpagent

Password for <> :

$ ipa otptoken-find


0 OTP tokens matched



Number of entries returned 0


Is there something happening in the back end preventing these permissions
from workin?


Any suggestions?






FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to