Hi, I've been trying to create a permission to allow certain users to manipulate all OTP Tokens. I found a post to this list from 2017 describing pretty much exactly what I want to do: https://lists.fedorahosted.org/archives/list/[email protected]/message/BG263EADXJOSCQBY3Q7WFXGPIZSXV5XK/
My permission object looks pretty much identical (at least I can't find any significant difference): $ ipa permission-show --all --raw "OTP Key Management" dn: cn=OTP Key Management,cn=permissions,cn=pbac,dc=rise,dc=fx cn: OTP Key Management ipapermright: all ipapermincludedattr: ipatokenTOTPtimeStep ipapermincludedattr: ipatokenOwner ipapermincludedattr: ipatokenOTPdigits ipapermincludedattr: ipatokenUniqueID ipapermincludedattr: ipatokenTOTPclockOffset ipapermincludedattr: ipatokenOTPkey ipapermbindruletype: permission ipapermlocation: cn=otp,dc=example,dc=com ipapermtargetfilter: (objectclass=ipatoken) ipapermissiontype: SYSTEM ipapermissiontype: V2 aci: (targetattr = "ipatokenOTPdigits || ipatokenOTPkey || ipatokenOwner || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep || ipatokenUniqueID")(targetfilter = "(objectclass=ipatoken)")(version 3.0;acl "permission:OTP Key Management";allow (all) groupdn = "ldap:///cn=OTP Key Management,cn=permissions,cn=pbac,dc=example,dc=com";) member: cn=OTP Administrators,cn=privileges,cn=pbac,dc=example,dc=com memberindirect: uid=otpmaster,cn=users,cn=accounts,dc=example,dc=com memberindirect: cn=OTP Administrator,cn=roles,cn=accounts,dc=example,dc=com objectclass: top objectclass: groupofnames objectclass: ipapermission objectclass: ipapermissionv2 However, 'otptoken-find' doesn't return any tokens: $ kinit Password for [email protected]: $ ipa otptoken-find -------------------- 0 OTP tokens matched -------------------- ---------------------------- Number of entries returned 0 ---------------------------- An ldapsearch with "(objectclass=ipatoken)" also returns no result. It all works fine if I run this as a user that is a member of the "admins" group or add "otpmaster" to "admins". Any pointers are greatly appreciated. I'm running FreeIPA 4.6.8 on CentOS 7.9.2009. Cheers! _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
