Russ Long via FreeIPA-users wrote: > Tried adding objectclass to the attrs, but it is entirely possible I did > something incorrect as the users are still unable to view other OTP tokens > > Here's the current state of the policy: > > $ ipa permission-show test --all --raw > dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com > cn: test > ipapermright: all > ipapermincludedattr: ipatokentotptimestep > ipapermincludedattr: ipatokenotpalgorithm > ipapermincludedattr: ipatokentotpwatermark > ipapermincludedattr: ipatokenowner > ipapermincludedattr: ipatokenotpdigits > ipapermincludedattr: ipatokenuniqueid > ipapermincludedattr: ipatokentotpclockoffset > ipapermincludedattr: ipatokenotpkey > ipapermincludedattr: cn > ipapermincludedattr: ipatokenhotpsyncwindow > ipapermincludedattr: ipatokenhotpauthwindow > ipapermincludedattr: ipatokentotpsyncwindow > ipapermincludedattr: ipatokentotpauthwindow > ipapermincludedattr: objectclass > ipapermbindruletype: permission > ipapermlocation: cn=otp,cn=etc,dc=ipa,dc=nab,dc=blueclouds,dc=io > ipapermtargetfilter: (objectclass=ipatokenotpconfig) > ipapermissiontype: SYSTEM > ipapermissiontype: V2 > aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow > || ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || > ipatokenowner || ipatokentotpauthwindow || ipatokentotpclockoffset || > ipatokentotpsyncwindow || ipatokentotptimestep || ipatokentotpwatermark || > ipatokenuniqueid || objectclass")(targetfilter = > "(objectclass=ipatokenotpconfig)")(version 3.0;acl "permission:test";allow > (all) groupdn = > "ldap:///cn=testrl,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";;) > objectclass: top > objectclass: groupofnames > objectclass: ipapermission > objectclass: ipapermissionv2 > > (Again, membership info has been removed, but shows the expected and proper > members)
Ah right, the objectclass IIRC is wrong too. I think it should be ipatoken. The default token ACIs sit in $SUFFIX and not under cn=otp,cn=etc,dc=ipa. I don't think that makes a fundamental difference but it might. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
