Hello the list,

 

After ignoring things, this now _works_

 

$kinit helpagent

Password for helpag...@test.org:

$ ipa otptoken-find

--------------------

2 OTP tokens matched

--------------------

  Unique ID: otpuser1

  Type: TOTP

  Owner: otpuser1

 

  Unique ID: otpuser2

  Type: TOTP

  Owner: otpuser2

----------------------------

Number of entries returned 2

----------------------------

 

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Thursday, 23 November 2017 10:45 AM
To: 'freeipa-users@lists.fedorahosted.org'
<freeipa-users@lists.fedorahosted.org>
Subject: Creating a permission to manage OTP Tokens

 

Hello the list,

 

We'd like to grant users with the helpdesk role the ability to manipulate
other user's OTP tokens. The minimum would be to add them, delete them, and
enable/disable them.

 

This is currently possible if an admin  sets a token's managedBy attribute
to the helpdesk user's DN. We don't want to grant our helpdesk agents admin
privileges.

 

So, this is the permission I created:

 

$ ipa permission-show 'Manage OTP Tokens' --all --raw

  dn: cn=Manage OTP Tokens,cn=permissions,cn=pbac,dc=test,dc=org

  cn: Manage OTP Tokens

  ipapermright: all

  ipapermincludedattr: ipatokenOwner

  ipapermincludedattr: ipatokenUniqueID

  ipapermincludedattr: ipatokenOTPdigits

  ipapermincludedattr: ipatokenOTPkey

  ipapermincludedattr: ipatokenTOTPclockOffset

  ipapermincludedattr: ipatokenTOTPtimeStep

  ipapermbindruletype: permission

  ipapermlocation: cn=otp,dc=test,dc=org

  ipapermtargetfilter: (objectclass=ipaToken)

  ipapermissiontype: SYSTEM

  ipapermissiontype: V2

  aci: (targetattr = "ipatokenOTPdigits || ipatokenOTPkey || ipatokenOwner
|| ipatokenTOTPclockOffset || ipatokenTOTPtimeStep ||
ipatokenUniqueID")(targetfilter = "(objectclass=ipaToken)")(version 3.0;acl
"permission:Manage OTP Tokens";allow (all) groupdn = "ldap:///cn=Manage OTP
Tokens,cn=permissions,cn=pbac,dc=test,dc=org";)

  member: cn=Manage OTP Token,cn=privileges,cn=pbac,dc=test,dc=org

  memberindirect: cn=helpdesk,cn=roles,cn=accounts,dc=test,dc=org

  memberindirect: uid=helpagent,cn=users,cn=accounts,dc=test,dc=org

  objectclass: top

  objectclass: groupofnames

  objectclass: ipapermission

  objectclass: ipapermissionv2

 

However this does not work:

 

$ kinit helpagent

Password for helpag...@test.org <mailto:helpag...@test.org> :

$ ipa otptoken-find

--------------------

0 OTP tokens matched

--------------------

----------------------------

Number of entries returned 0

 

Is there something happening in the back end preventing these permissions
from workin?

 

Any suggestions?

 

Regards,

 

Aaron

 

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to