On 14.08.23 13:52, Christian Heimes via FreeIPA-users wrote: > On 14/08/2023 07.37, spike via FreeIPA-users wrote: >> Hi, >> >> I've been trying to create a permission to allow certain users to manipulate >> all OTP Tokens. I found a post to this list from 2017 describing pretty much >> exactly what I want to do: >> https://lists.fedorahosted.org/archives/list/[email protected]/message/BG263EADXJOSCQBY3Q7WFXGPIZSXV5XK/ >> >> My permission object looks pretty much identical (at least I can't find any >> significant difference): >> >> $ ipa permission-show --all --raw "OTP Key Management" >> dn: cn=OTP Key Management,cn=permissions,cn=pbac,dc=rise,dc=fx >> cn: OTP Key Management >> ipapermright: all >> ipapermincludedattr: ipatokenTOTPtimeStep >> ipapermincludedattr: ipatokenOwner >> ipapermincludedattr: ipatokenOTPdigits >> ipapermincludedattr: ipatokenUniqueID >> ipapermincludedattr: ipatokenTOTPclockOffset >> ipapermincludedattr: ipatokenOTPkey >> ipapermbindruletype: permission >> ipapermlocation: cn=otp,dc=example,dc=com > > How did you create the permission? The IPA permission location is wrong. The > suffix should match your domain components dc=rise,dc=fx.
That's just a failed attempt on my part to remove any actual domain information. In reality the suffix is the same. Cheers! _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
