Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Martin Kosek]

On 10/13/2014 07:23 PM, Nathaniel McCallum wrote:
 On Mon, 2014-10-13 at 12:39 +0200, Martin Kosek wrote:
 On 10/10/2014 05:43 PM, Nathaniel McCallum wrote:
 As a result of this ongoing conversation, I have opened two 389 bugs:

 1. Post Read - https://fedorahosted.org/389/ticket/47924
 2. UUID ACIs - https://fedorahosted.org/389/ticket/47925

 On Wed, 2014-10-08 at 17:46 -0400, Nathaniel McCallum wrote:
 The background of this email is this bug:
 https://fedorahosted.org/freeipa/ticket/4456

 Attached are two patches which solve this issue for admin users (not
 very helpful, I know). They depend on this fix in 389:
 https://fedorahosted.org/389/ticket/47920

 There are two outstanding issues:

 1. 389 does not send the post read control for normal users. The
 operation itself succeeds, but no control is sent.

 The relevant sections from the log are attached. 389 is denying access
 to the following attributes (* = valid, ! = invalid):
 ! objectClass
 ! ipatokenOTPalgorithm
 ! ipatokenOTPdigits
 * ipatokenOTPkey
 * ipatokenHOTPcounter
 ! ipatokenOwner
 ! managedBy
 ! ipatokenUniqueID

 The ACIs allowing access to most of these attributes are here:
 https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90

 Note that I am able to query the entry just fine (including all the
 above invalidly restricted attributes). Hence, I know the ACIs are
 working just fine.

 Part of the strange thing is that in the post read control request, I
 haven't indicated that I want *any* attributes returned (i.e. I want
 just the DN). So I'm not sure why it is querying all the attributes. I
 would suspect that the proper behavior would be to only check the ACIs
 on attributes that will actually be returned.

 2. The second patch (0002) modifies the ACI for normal user token
 addition from this:

 aci: (target = ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter
 = (objectClass=ipaToken))(version 3.0; acl Users can create
 self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and
 userattr = managedBy#SELFDN;)

 To this:

 aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,
 $SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0; acl
 Users can create self-managed tokens; allow (add) userattr =
 ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)

 The idea is to allow users to create tokens which will be expanded by
 the UUID plugin. Unfortunately, after the UUID is expanded, the ACIs are
 checked. Since the expanded UUID no longer matches the ACI, the addition
 is denied. Is this truly the correct behavior? I would think that the
 ACIs would be checked before the UUID plugin, not after.

 Given the number of issues we have with this patch on the DS side, it is 
 likely
 we will need to go some simpler way for FreeIPA 4.1, in terms just of hiding
 the option where appropriate.
 
 We have solved the first DS issue via a sensible workaround. Attached
 are two new patches. These take into account your feedback below and
 incorporate the aforementioned workaround.
 
 The only thing these patches lack is the tightening of the ACI (problem
 #2 in the first email). Merging these patches I believe provides
 benefits over our current code, even though we don't get the final
 benefit of forcing normal users to use autogeneration.
 
 If we test/merge these now, then when the second DS problem is solved,
 we can simply update the ACI independently via a trivial second patch
 (s/\*/autogenerate/).

Ok. We can merge the patches if they at least improve the situation and prepare
us for the future.

 Also, few comments to your current patch set (though the patches themselves
 will probably not land in 4.1):

 Patch 0001:
 - while it may work (after DS fixes), it adds PostRead for all our commands,
 not just otptoken-add. I would rather have some attribute like
 read_dn_from_postread on LDAPObject which defaults to False to make sure
 there is no regression or performance hit with other LDAP calls.
 
 In the new code, we actually get a performance gain as the manual post
 read is eliminated if the post read control is successful. Only one
 issue can arise, which is when the post read control evaluates ACIs in a
 different context than a normal manual read. This problem is well known
 and is trivial to fix (s/USERDN/SELFDN/).

That's my point - with such a big change, we can hit many unforeseen issues and
we are close to deadline. I would rather like to use the PostRead control only
in otptoken_add command. CCing Petr and Honza to chime in.

 - Wider adoption of the PostRead call would be left for future, when we stop
 doing post-execute LDAP read call and only rely on PostRead result.
 
 This is already integrated.
 
 Patch 0002:
 - cn=IPA Token Unique IDs,cn=IPA UUID,cn=plugins,cn=config should be 
 created
 in LDAP update files only. Currently it will not be created on upgrades.
 
 Fixed.

I would recommend testing your patches before you send them. Just based on
reading the 

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Jan Cholasta]

Dne 14.10.2014 v 08:37 Martin Kosek napsal(a):

On 10/13/2014 07:23 PM, Nathaniel McCallum wrote:

On Mon, 2014-10-13 at 12:39 +0200, Martin Kosek wrote:

Also, few comments to your current patch set (though the patches themselves
will probably not land in 4.1):

Patch 0001:
- while it may work (after DS fixes), it adds PostRead for all our commands,
not just otptoken-add. I would rather have some attribute like
read_dn_from_postread on LDAPObject which defaults to False to make sure
there is no regression or performance hit with other LDAP calls.


In the new code, we actually get a performance gain as the manual post
read is eliminated if the post read control is successful. Only one
issue can arise, which is when the post read control evaluates ACIs in a
different context than a normal manual read. This problem is well known
and is trivial to fix (s/USERDN/SELFDN/).


That's my point - with such a big change, we can hit many unforeseen issues and
we are close to deadline. I would rather like to use the PostRead control only
in otptoken_add command. CCing Petr and Honza to chime in.


I agree it should be opt-in for now. Add a boolean argument to add_entry 
as a switch.


--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Petr Viktorin]

On 10/14/2014 08:51 AM, Jan Cholasta wrote:

Dne 14.10.2014 v 08:37 Martin Kosek napsal(a):

On 10/13/2014 07:23 PM, Nathaniel McCallum wrote:

On Mon, 2014-10-13 at 12:39 +0200, Martin Kosek wrote:

Also, few comments to your current patch set (though the patches
themselves
will probably not land in 4.1):

Patch 0001:
- while it may work (after DS fixes), it adds PostRead for all our
commands,
not just otptoken-add. I would rather have some attribute like
read_dn_from_postread on LDAPObject which defaults to False to
make sure
there is no regression or performance hit with other LDAP calls.


As Honza says later in the mail, this should be an argument for 
add_entry (or alternatively an additional add_entry_with_postread 
method). Storing settings in data objects leads to trouble – when you 
get such an object from somewhere, you never know what an operation on 
it will do.



In the new code, we actually get a performance gain as the manual post
read is eliminated if the post read control is successful. Only one
issue can arise, which is when the post read control evaluates ACIs in a
different context than a normal manual read. This problem is well known
and is trivial to fix (s/USERDN/SELFDN/).


That's my point - with such a big change, we can hit many unforeseen
issues and
we are close to deadline. I would rather like to use the PostRead
control only
in otptoken_add command. CCing Petr and Honza to chime in.


I agree it should be opt-in for now. Add a boolean argument to add_entry
as a switch.


+1

Also, I think the add_entry should not return anything; rather the 
PostRead result should be merged into the added entry object. Honza, 
what do you think?


In the future it might be useful for add_entry to return a list of 
controls, the `ctrls` in this patch.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Jan Cholasta]

Dne 14.10.2014 v 10:23 Petr Viktorin napsal(a):

On 10/14/2014 08:51 AM, Jan Cholasta wrote:

Dne 14.10.2014 v 08:37 Martin Kosek napsal(a):

On 10/13/2014 07:23 PM, Nathaniel McCallum wrote:

On Mon, 2014-10-13 at 12:39 +0200, Martin Kosek wrote:

Also, few comments to your current patch set (though the patches
themselves
will probably not land in 4.1):

Patch 0001:
- while it may work (after DS fixes), it adds PostRead for all our
commands,
not just otptoken-add. I would rather have some attribute like
read_dn_from_postread on LDAPObject which defaults to False to
make sure
there is no regression or performance hit with other LDAP calls.


As Honza says later in the mail, this should be an argument for
add_entry (or alternatively an additional add_entry_with_postread
method). Storing settings in data objects leads to trouble – when you
get such an object from somewhere, you never know what an operation on
it will do.


I would prefer add_entry argument rather than a new method, as that's 
how find_entries does controls.





In the new code, we actually get a performance gain as the manual post
read is eliminated if the post read control is successful. Only one
issue can arise, which is when the post read control evaluates ACIs
in a
different context than a normal manual read. This problem is well known
and is trivial to fix (s/USERDN/SELFDN/).


That's my point - with such a big change, we can hit many unforeseen
issues and
we are close to deadline. I would rather like to use the PostRead
control only
in otptoken_add command. CCing Petr and Honza to chime in.


I agree it should be opt-in for now. Add a boolean argument to add_entry
as a switch.


+1

Also, I think the add_entry should not return anything; rather the
PostRead result should be merged into the added entry object. Honza,
what do you think?


It should, good point.



In the future it might be useful for add_entry to return a list of
controls, the `ctrls` in this patch.




--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Nathaniel McCallum]

On Tue, 2014-10-14 at 10:38 +0200, Jan Cholasta wrote:
 Dne 14.10.2014 v 10:23 Petr Viktorin napsal(a):
  On 10/14/2014 08:51 AM, Jan Cholasta wrote:
  Dne 14.10.2014 v 08:37 Martin Kosek napsal(a):
  On 10/13/2014 07:23 PM, Nathaniel McCallum wrote:
  On Mon, 2014-10-13 at 12:39 +0200, Martin Kosek wrote:
  Also, few comments to your current patch set (though the patches
  themselves
  will probably not land in 4.1):
 
  Patch 0001:
  - while it may work (after DS fixes), it adds PostRead for all our
  commands,
  not just otptoken-add. I would rather have some attribute like
  read_dn_from_postread on LDAPObject which defaults to False to
  make sure
  there is no regression or performance hit with other LDAP calls.
 
  As Honza says later in the mail, this should be an argument for
  add_entry (or alternatively an additional add_entry_with_postread
  method). Storing settings in data objects leads to trouble – when you
  get such an object from somewhere, you never know what an operation on
  it will do.
 
 I would prefer add_entry argument rather than a new method, as that's 
 how find_entries does controls.
 
 
  In the new code, we actually get a performance gain as the manual post
  read is eliminated if the post read control is successful. Only one
  issue can arise, which is when the post read control evaluates ACIs
  in a
  different context than a normal manual read. This problem is well known
  and is trivial to fix (s/USERDN/SELFDN/).
 
  That's my point - with such a big change, we can hit many unforeseen
  issues and
  we are close to deadline. I would rather like to use the PostRead
  control only
  in otptoken_add command. CCing Petr and Honza to chime in.
 
  I agree it should be opt-in for now. Add a boolean argument to add_entry
  as a switch.
 
  +1
 
  Also, I think the add_entry should not return anything; rather the
  PostRead result should be merged into the added entry object. Honza,
  what do you think?
 
 It should, good point.
 
 
  In the future it might be useful for add_entry to return a list of
  controls, the `ctrls` in this patch.

If we're going to implement temporary workarounds like this in order to
merge this patch, I'd prefer to just wait until 4.2. Without activating
the post read control for all add operations, there is really no benefit
to this patch and added risk.

I propose that for 4.1, we use the attached patch to remove the field
from the UI. Once we have proper ACI/UUID-plugin integration in 389, we
can revisit these patches.

Nathaniel
From 244834182add8e927171f6e9f1b4966c829b7aa4 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Tue, 14 Oct 2014 14:30:01 -0400
Subject: [PATCH] Remove token ID from self-service UI

Also, fix labels to properly use i18n strings for token types.
---
 install/ui/src/freeipa/otptoken.js | 8 ++--
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/install/ui/src/freeipa/otptoken.js b/install/ui/src/freeipa/otptoken.js
index d5afd25e66c58f4a3b5ce7241b3ddd0ca4f00850..2daeed9b6956921850b527e60b00ad124fb5f3d0 100644
--- a/install/ui/src/freeipa/otptoken.js
+++ b/install/ui/src/freeipa/otptoken.js
@@ -289,14 +289,10 @@ return {
 name: 'type',
 default_value: 'totp',
 options: [
-{ label: 'TOTP', value: 'totp' },
-{ label: 'HOTP', value: 'hotp' }
+{ label: '@i18n:objects.otptoken.type_totp', value: 'totp' },
+{ label: '@i18n:objects.otptoken.type_hotp', value: 'hotp' }
 ]
 },
-{
-name: 'ipatokenuniqueid',
-required: false
-},
 'description'
 ]
 }
-- 
2.1.0

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Martin Kosek]

On 10/10/2014 05:43 PM, Nathaniel McCallum wrote:
 As a result of this ongoing conversation, I have opened two 389 bugs:
 
 1. Post Read - https://fedorahosted.org/389/ticket/47924
 2. UUID ACIs - https://fedorahosted.org/389/ticket/47925
 
 On Wed, 2014-10-08 at 17:46 -0400, Nathaniel McCallum wrote:
 The background of this email is this bug:
 https://fedorahosted.org/freeipa/ticket/4456

 Attached are two patches which solve this issue for admin users (not
 very helpful, I know). They depend on this fix in 389:
 https://fedorahosted.org/389/ticket/47920

 There are two outstanding issues:

 1. 389 does not send the post read control for normal users. The
 operation itself succeeds, but no control is sent.

 The relevant sections from the log are attached. 389 is denying access
 to the following attributes (* = valid, ! = invalid):
 ! objectClass
 ! ipatokenOTPalgorithm
 ! ipatokenOTPdigits
 * ipatokenOTPkey
 * ipatokenHOTPcounter
 ! ipatokenOwner
 ! managedBy
 ! ipatokenUniqueID

 The ACIs allowing access to most of these attributes are here:
 https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90

 Note that I am able to query the entry just fine (including all the
 above invalidly restricted attributes). Hence, I know the ACIs are
 working just fine.

 Part of the strange thing is that in the post read control request, I
 haven't indicated that I want *any* attributes returned (i.e. I want
 just the DN). So I'm not sure why it is querying all the attributes. I
 would suspect that the proper behavior would be to only check the ACIs
 on attributes that will actually be returned.

 2. The second patch (0002) modifies the ACI for normal user token
 addition from this:

 aci: (target = ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter
 = (objectClass=ipaToken))(version 3.0; acl Users can create
 self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and
 userattr = managedBy#SELFDN;)

 To this:

 aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,
 $SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0; acl
 Users can create self-managed tokens; allow (add) userattr =
 ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)

 The idea is to allow users to create tokens which will be expanded by
 the UUID plugin. Unfortunately, after the UUID is expanded, the ACIs are
 checked. Since the expanded UUID no longer matches the ACI, the addition
 is denied. Is this truly the correct behavior? I would think that the
 ACIs would be checked before the UUID plugin, not after.

Given the number of issues we have with this patch on the DS side, it is likely
we will need to go some simpler way for FreeIPA 4.1, in terms just of hiding
the option where appropriate.

Also, few comments to your current patch set (though the patches themselves
will probably not land in 4.1):

Patch 0001:
- while it may work (after DS fixes), it adds PostRead for all our commands,
not just otptoken-add. I would rather have some attribute like
read_dn_from_postread on LDAPObject which defaults to False to make sure
there is no regression or performance hit with other LDAP calls.
- Wider adoption of the PostRead call would be left for future, when we stop
doing post-execute LDAP read call and only rely on PostRead result.

Patch 0002:
- cn=IPA Token Unique IDs,cn=IPA UUID,cn=plugins,cn=config should be created
in LDAP update files only. Currently it will not be created on upgrades.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Nathaniel McCallum]

On Mon, 2014-10-13 at 12:39 +0200, Martin Kosek wrote:
 On 10/10/2014 05:43 PM, Nathaniel McCallum wrote:
  As a result of this ongoing conversation, I have opened two 389 bugs:
  
  1. Post Read - https://fedorahosted.org/389/ticket/47924
  2. UUID ACIs - https://fedorahosted.org/389/ticket/47925
  
  On Wed, 2014-10-08 at 17:46 -0400, Nathaniel McCallum wrote:
  The background of this email is this bug:
  https://fedorahosted.org/freeipa/ticket/4456
 
  Attached are two patches which solve this issue for admin users (not
  very helpful, I know). They depend on this fix in 389:
  https://fedorahosted.org/389/ticket/47920
 
  There are two outstanding issues:
 
  1. 389 does not send the post read control for normal users. The
  operation itself succeeds, but no control is sent.
 
  The relevant sections from the log are attached. 389 is denying access
  to the following attributes (* = valid, ! = invalid):
  ! objectClass
  ! ipatokenOTPalgorithm
  ! ipatokenOTPdigits
  * ipatokenOTPkey
  * ipatokenHOTPcounter
  ! ipatokenOwner
  ! managedBy
  ! ipatokenUniqueID
 
  The ACIs allowing access to most of these attributes are here:
  https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90
 
  Note that I am able to query the entry just fine (including all the
  above invalidly restricted attributes). Hence, I know the ACIs are
  working just fine.
 
  Part of the strange thing is that in the post read control request, I
  haven't indicated that I want *any* attributes returned (i.e. I want
  just the DN). So I'm not sure why it is querying all the attributes. I
  would suspect that the proper behavior would be to only check the ACIs
  on attributes that will actually be returned.
 
  2. The second patch (0002) modifies the ACI for normal user token
  addition from this:
 
  aci: (target = ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter
  = (objectClass=ipaToken))(version 3.0; acl Users can create
  self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and
  userattr = managedBy#SELFDN;)
 
  To this:
 
  aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,
  $SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0; acl
  Users can create self-managed tokens; allow (add) userattr =
  ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)
 
  The idea is to allow users to create tokens which will be expanded by
  the UUID plugin. Unfortunately, after the UUID is expanded, the ACIs are
  checked. Since the expanded UUID no longer matches the ACI, the addition
  is denied. Is this truly the correct behavior? I would think that the
  ACIs would be checked before the UUID plugin, not after.
 
 Given the number of issues we have with this patch on the DS side, it is 
 likely
 we will need to go some simpler way for FreeIPA 4.1, in terms just of hiding
 the option where appropriate.

We have solved the first DS issue via a sensible workaround. Attached
are two new patches. These take into account your feedback below and
incorporate the aforementioned workaround.

The only thing these patches lack is the tightening of the ACI (problem
#2 in the first email). Merging these patches I believe provides
benefits over our current code, even though we don't get the final
benefit of forcing normal users to use autogeneration.

If we test/merge these now, then when the second DS problem is solved,
we can simply update the ACI independently via a trivial second patch
(s/\*/autogenerate/).

 Also, few comments to your current patch set (though the patches themselves
 will probably not land in 4.1):
 
 Patch 0001:
 - while it may work (after DS fixes), it adds PostRead for all our commands,
 not just otptoken-add. I would rather have some attribute like
 read_dn_from_postread on LDAPObject which defaults to False to make sure
 there is no regression or performance hit with other LDAP calls.

In the new code, we actually get a performance gain as the manual post
read is eliminated if the post read control is successful. Only one
issue can arise, which is when the post read control evaluates ACIs in a
different context than a normal manual read. This problem is well known
and is trivial to fix (s/USERDN/SELFDN/).

 - Wider adoption of the PostRead call would be left for future, when we stop
 doing post-execute LDAP read call and only rely on PostRead result.

This is already integrated.

 Patch 0002:
 - cn=IPA Token Unique IDs,cn=IPA UUID,cn=plugins,cn=config should be created
 in LDAP update files only. Currently it will not be created on upgrades.

Fixed.

I believe the following patches are ready for review. Should we review
on this thread? Or should I create separate threads for the patches?

Nathaniel
From ae10d13b3f5e3f9635463d38f72d8a0f06f6ffbe Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Wed, 8 Oct 2014 14:39:18 -0400
Subject: [PATCH 1/2] Use post read control on add operations

By adding the post read control, we gain two 

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[thierry bordaz]

On 10/09/2014 10:51 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 22:22 +0200, thierry bordaz wrote:

On 10/09/2014 06:40 PM, Nathaniel McCallum wrote:


On Thu, 2014-10-09 at 18:32 +0200, thierry bordaz wrote:

On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:

On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:


The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users (not
very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying access
to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID

Hello Nathaniel,

  The post read control needs access to the modified entry to
  return it.
  This access is granted at the condition, the binddn can access
  attributes.

Agreed and understood.


  My understanding is that the target entry is
  ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com 
and the binddn uid=otp,cn=users,cn=accounts,dc=example,dc=com.

Correct.


  The only ACI I found that match this target is:
  aci: (targetfilter = (objectClass=ipaToken))
  (targetattrs = objectclass || description || managedBy || 
ipatokenUniqueID || ipatokenDisabled
   || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || 
ipatokenModel || ipatokenSerial || ipatokenOwner)
  (version 3.0; acl Users/managers can read basic token info; allow (read, search, 
compare) userattr = ipatokenOwner#USERDN or userattr = managedBy#USERDN;)

Correct.


  Do you know if the target entry has 'ipatokenOwner' or
  'managedBy' with the binddn value ?

Yes, both. So why is access to objectClass (et cetera) being denied?

Good question... I will  try to reproduce

Thanks!

Hello,

 I tried to reproduce and it seems to work on *master*.
 I am using the attached ldif file.
 The test case is to bind as cn=active
 guy,cn=accounts,dc=example,dc=com and to do a modify on
 cn=active otp,cn=otp,dc=example,dc=com.
 
 The modify updates the 'description' attribute and do a

 postread (description, cn).
 
 The write 'description' is allowed by :

 dn: cn=otp,dc=example,dc=com
 aci: (targetfilter =
 (objectclass=organizationalPerson))(target =
 ldap:///c
  n=*,cn=otp,dc=example,dc=com)(targetattr =
 objectclass || description || se
  eAlso)(version 3.0; acl Active user modify otp
 entry; allow (write) userdn
   = ldap:///cn=active
 guy,cn=accounts,dc=example,dc=com;)
 
 [09/Oct/2014:22:07:56 +0200] NSACLPlugin - 1.

 Evaluating ALLOW aci(19)  Active user modify otp
 entry
 [09/Oct/2014:22:07:56 +0200] NSACLPlugin - conn=2
 op=16 (main): Allow write on entry(cn=active
 otp,cn=otp,dc=example,dc=com).attr(description) to
 cn=active guy,cn=accounts,dc=example,dc=com: allowed
 by aci(19): aciname= Active user modify otp entry,
 acidn=cn=otp,dc=example,dc=com
 
 
 The postread is allowed by:

 dn: cn=otp,dc=example,dc=com
 aci: (targetfilter =
 (objectclass=organizationalPerson)) (targetattr =
 obje
  ctclass || description || seeAlso || cn)(version
 3.0; acl Active user can r
  ead his entries; allow (read, search, compare)
 userattr = seeAlso#USERDN;)
 
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - 1.

 Evaluating ALLOW aci(21)  Active user can read his
 entries
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - Found READ
 ALLOW in cache
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - conn=2
 op=16 (main): Allow read on entry(cn=active
 otp,cn=otp,dc=example,dc=com).attr(cn) to cn=active
 guy,cn=accounts,dc=example,dc=com: cached allow by
 aci(21)
 
 The postread works if I use USERDN or SELFDN.
 
 Please let me know the version of 389-ds that you are testing,

 I will try on that branch

That is not really the same test at all.

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Ludwig Krispenz]

On 10/10/2014 03:58 PM, thierry bordaz wrote:

On 10/09/2014 10:51 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 22:22 +0200, thierry bordaz wrote:

On 10/09/2014 06:40 PM, Nathaniel McCallum wrote:


On Thu, 2014-10-09 at 18:32 +0200, thierry bordaz wrote:

On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:

On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:


The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users (not
very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying access
to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID

Hello Nathaniel,

  The post read control needs access to the modified entry to
  return it.
  This access is granted at the condition, the binddn can access
  attributes.

Agreed and understood.


  My understanding is that the target entry is
  ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com 
and the binddn uid=otp,cn=users,cn=accounts,dc=example,dc=com.

Correct.


  The only ACI I found that match this target is:
  aci: (targetfilter = (objectClass=ipaToken))
  (targetattrs = objectclass || description || managedBy || 
ipatokenUniqueID || ipatokenDisabled
   || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || 
ipatokenModel || ipatokenSerial || ipatokenOwner)
  (version 3.0; acl Users/managers can read basic token info; allow (read, search, 
compare) userattr = ipatokenOwner#USERDN or userattr = managedBy#USERDN;)

Correct.


  Do you know if the target entry has 'ipatokenOwner' or
  'managedBy' with the binddn value ?

Yes, both. So why is access to objectClass (et cetera) being denied?

Good question... I will  try to reproduce

Thanks!

Hello,

 I tried to reproduce and it seems to work on *master*.
 I am using the attached ldif file.
 The test case is to bind as cn=active
 guy,cn=accounts,dc=example,dc=com and to do a modify on
 cn=active otp,cn=otp,dc=example,dc=com.
 
 The modify updates the 'description' attribute and do a

 postread (description, cn).
 
 The write 'description' is allowed by :

 dn: cn=otp,dc=example,dc=com
 aci: (targetfilter =
 (objectclass=organizationalPerson))(target =
 ldap:///c
  n=*,cn=otp,dc=example,dc=com)(targetattr =
 objectclass || description || se
  eAlso)(version 3.0; acl Active user modify otp
 entry; allow (write) userdn
   =ldap:///cn=active
 guy,cn=accounts,dc=example,dc=com;)
 
 [09/Oct/2014:22:07:56 +0200] NSACLPlugin - 1.

 Evaluating ALLOW aci(19)  Active user modify otp
 entry
 [09/Oct/2014:22:07:56 +0200] NSACLPlugin - conn=2
 op=16 (main): Allow write on entry(cn=active
 otp,cn=otp,dc=example,dc=com).attr(description) to
 cn=active guy,cn=accounts,dc=example,dc=com: allowed
 by aci(19): aciname= Active user modify otp entry,
 acidn=cn=otp,dc=example,dc=com
 
 
 The postread is allowed by:

 dn: cn=otp,dc=example,dc=com
 aci: (targetfilter =
 (objectclass=organizationalPerson)) (targetattr =
 obje
  ctclass || description || seeAlso || cn)(version
 3.0; acl Active user can r
  ead his entries; allow (read, search, compare)
 userattr = seeAlso#USERDN;)
 
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - 1.

 Evaluating ALLOW aci(21)  Active user can read his
 entries
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - Found READ
 ALLOW in cache
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - conn=2
 op=16 (main): Allow read on entry(cn=active
 otp,cn=otp,dc=example,dc=com).attr(cn) to cn=active
 guy,cn=accounts,dc=example,dc=com: cached allow by
 aci(21)
 
 The postread works if I use USERDN or SELFDN.
 
 Please let me know the version of 389-ds that you are testing,

 I will try on that 

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[thierry bordaz]

On 10/10/2014 04:38 PM, Ludwig Krispenz wrote:


On 10/10/2014 03:58 PM, thierry bordaz wrote:

On 10/09/2014 10:51 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 22:22 +0200, thierry bordaz wrote:

On 10/09/2014 06:40 PM, Nathaniel McCallum wrote:


On Thu, 2014-10-09 at 18:32 +0200, thierry bordaz wrote:

On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:

On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:


The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users (not
very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying access
to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID

Hello Nathaniel,

  The post read control needs access to the modified entry to
  return it.
  This access is granted at the condition, the binddn can access
  attributes.

Agreed and understood.


  My understanding is that the target entry is
  ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com 
and the binddn uid=otp,cn=users,cn=accounts,dc=example,dc=com.

Correct.


  The only ACI I found that match this target is:
  aci: (targetfilter = (objectClass=ipaToken))
  (targetattrs = objectclass || description || managedBy || 
ipatokenUniqueID || ipatokenDisabled
   || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || 
ipatokenModel || ipatokenSerial || ipatokenOwner)
  (version 3.0; acl Users/managers can read basic token info; allow (read, search, 
compare) userattr = ipatokenOwner#USERDN or userattr = managedBy#USERDN;)

Correct.


  Do you know if the target entry has 'ipatokenOwner' or
  'managedBy' with the binddn value ?

Yes, both. So why is access to objectClass (et cetera) being denied?

Good question... I will  try to reproduce

Thanks!

Hello,

 I tried to reproduce and it seems to work on *master*.
 I am using the attached ldif file.
 The test case is to bind as cn=active
 guy,cn=accounts,dc=example,dc=com and to do a modify on
 cn=active otp,cn=otp,dc=example,dc=com.
 
 The modify updates the 'description' attribute and do a

 postread (description, cn).
 
 The write 'description' is allowed by :

 dn: cn=otp,dc=example,dc=com
 aci: (targetfilter =
 (objectclass=organizationalPerson))(target =
 ldap:///c
  n=*,cn=otp,dc=example,dc=com)(targetattr =
 objectclass || description || se
  eAlso)(version 3.0; acl Active user modify otp
 entry; allow (write) userdn
   =ldap:///cn=active
 guy,cn=accounts,dc=example,dc=com;)
 
 [09/Oct/2014:22:07:56 +0200] NSACLPlugin - 1.

 Evaluating ALLOW aci(19)  Active user modify otp
 entry
 [09/Oct/2014:22:07:56 +0200] NSACLPlugin - conn=2
 op=16 (main): Allow write on entry(cn=active
 otp,cn=otp,dc=example,dc=com).attr(description) to
 cn=active guy,cn=accounts,dc=example,dc=com: allowed
 by aci(19): aciname= Active user modify otp entry,
 acidn=cn=otp,dc=example,dc=com
 
 
 The postread is allowed by:

 dn: cn=otp,dc=example,dc=com
 aci: (targetfilter =
 (objectclass=organizationalPerson)) (targetattr =
 obje
  ctclass || description || seeAlso || cn)(version
 3.0; acl Active user can r
  ead his entries; allow (read, search, compare)
 userattr = seeAlso#USERDN;)
 
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - 1.

 Evaluating ALLOW aci(21)  Active user can read his
 entries
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - Found READ
 ALLOW in cache
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - conn=2
 op=16 (main): Allow read on entry(cn=active
 otp,cn=otp,dc=example,dc=com).attr(cn) to cn=active
 guy,cn=accounts,dc=example,dc=com: cached allow by
 aci(21)
 
 The postread works if I use USERDN or SELFDN.
 
 Please let me know the version of 389-ds that 

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Ludwig Krispenz]

On 10/10/2014 05:16 PM, thierry bordaz wrote:

On 10/10/2014 04:38 PM, Ludwig Krispenz wrote:


On 10/10/2014 03:58 PM, thierry bordaz wrote:

On 10/09/2014 10:51 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 22:22 +0200, thierry bordaz wrote:

On 10/09/2014 06:40 PM, Nathaniel McCallum wrote:


On Thu, 2014-10-09 at 18:32 +0200, thierry bordaz wrote:

On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:

On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:


The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users (not
very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying access
to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID

Hello Nathaniel,

  The post read control needs access to the modified entry to
  return it.
  This access is granted at the condition, the binddn can access
  attributes.

Agreed and understood.


  My understanding is that the target entry is
  ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com 
and the binddn uid=otp,cn=users,cn=accounts,dc=example,dc=com.

Correct.


  The only ACI I found that match this target is:
  aci: (targetfilter = (objectClass=ipaToken))
  (targetattrs = objectclass || description || managedBy || 
ipatokenUniqueID || ipatokenDisabled
   || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || 
ipatokenModel || ipatokenSerial || ipatokenOwner)
  (version 3.0; acl Users/managers can read basic token info; allow (read, search, 
compare) userattr = ipatokenOwner#USERDN or userattr = managedBy#USERDN;)

Correct.


  Do you know if the target entry has 'ipatokenOwner' or
  'managedBy' with the binddn value ?

Yes, both. So why is access to objectClass (et cetera) being denied?

Good question... I will  try to reproduce

Thanks!

Hello,

 I tried to reproduce and it seems to work on *master*.
 I am using the attached ldif file.
 The test case is to bind as cn=active
 guy,cn=accounts,dc=example,dc=com and to do a modify on
 cn=active otp,cn=otp,dc=example,dc=com.
 
 The modify updates the 'description' attribute and do a

 postread (description, cn).
 
 The write 'description' is allowed by :

 dn: cn=otp,dc=example,dc=com
 aci: (targetfilter =
 (objectclass=organizationalPerson))(target =
 ldap:///c
  n=*,cn=otp,dc=example,dc=com)(targetattr =
 objectclass || description || se
  eAlso)(version 3.0; acl Active user modify otp
 entry; allow (write) userdn
   =ldap:///cn=active
 guy,cn=accounts,dc=example,dc=com;)
 
 [09/Oct/2014:22:07:56 +0200] NSACLPlugin - 1.

 Evaluating ALLOW aci(19)  Active user modify otp
 entry
 [09/Oct/2014:22:07:56 +0200] NSACLPlugin - conn=2
 op=16 (main): Allow write on entry(cn=active
 otp,cn=otp,dc=example,dc=com).attr(description) to
 cn=active guy,cn=accounts,dc=example,dc=com: allowed
 by aci(19): aciname= Active user modify otp entry,
 acidn=cn=otp,dc=example,dc=com
 
 
 The postread is allowed by:

 dn: cn=otp,dc=example,dc=com
 aci: (targetfilter =
 (objectclass=organizationalPerson)) (targetattr =
 obje
  ctclass || description || seeAlso || cn)(version
 3.0; acl Active user can r
  ead his entries; allow (read, search, compare)
 userattr = seeAlso#USERDN;)
 
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - 1.

 Evaluating ALLOW aci(21)  Active user can read his
 entries
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - Found READ
 ALLOW in cache
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - conn=2
 op=16 (main): Allow read on entry(cn=active
 otp,cn=otp,dc=example,dc=com).attr(cn) to cn=active
 guy,cn=accounts,dc=example,dc=com: cached allow by
 aci(21)
 
 The postread works if I use USERDN or SELFDN.
 
 

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Nathaniel McCallum]

On Fri, 2014-10-10 at 17:30 +0200, Ludwig Krispenz wrote:
 
 On 10/10/2014 05:16 PM, thierry bordaz wrote:
 
  On 10/10/2014 04:38 PM, Ludwig Krispenz wrote:
  
   
   On 10/10/2014 03:58 PM, thierry bordaz wrote:
   
On 10/09/2014 10:51 PM, Nathaniel McCallum wrote:

 On Thu, 2014-10-09 at 22:22 +0200, thierry bordaz wrote:
  On 10/09/2014 06:40 PM, Nathaniel McCallum wrote:
  
   On Thu, 2014-10-09 at 18:32 +0200, thierry bordaz wrote:
On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:
 On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:
  On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:
  
   The background of this email is this bug:
   https://fedorahosted.org/freeipa/ticket/4456
   
   Attached are two patches which solve this issue for admin 
   users (not
   very helpful, I know). They depend on this fix in 389:
   https://fedorahosted.org/389/ticket/47920
   
   There are two outstanding issues:
   
   1. 389 does not send the post read control for normal 
   users. The
   operation itself succeeds, but no control is sent.
   
   The relevant sections from the log are attached. 389 is 
   denying access
   to the following attributes (* = valid, ! = invalid):
   ! objectClass
   ! ipatokenOTPalgorithm
   ! ipatokenOTPdigits
   * ipatokenOTPkey
   * ipatokenHOTPcounter
   ! ipatokenOwner
   ! managedBy
   ! ipatokenUniqueID
  Hello Nathaniel,
  
   The post read control needs access to the modified 
  entry to
   return it.
   This access is granted at the condition, the 
  binddn can access
   attributes.
 Agreed and understood.
 
   My understanding is that the target entry is
   
  ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
   and the binddn 
  uid=otp,cn=users,cn=accounts,dc=example,dc=com.
 Correct.
 
   The only ACI I found that match this target is:
   aci: (targetfilter = (objectClass=ipaToken))
   (targetattrs = objectclass || description || 
  managedBy || ipatokenUniqueID || ipatokenDisabled
|| ipatokenNotBefore || ipatokenNotAfter || 
  ipatokenVendor || ipatokenModel || ipatokenSerial || 
  ipatokenOwner)
   (version 3.0; acl Users/managers can read basic 
  token info; allow (read, search, compare) userattr = 
  ipatokenOwner#USERDN or userattr = managedBy#USERDN;)
 Correct.
 
   Do you know if the target entry has 
  'ipatokenOwner' or
   'managedBy' with the binddn value ?
 Yes, both. So why is access to objectClass (et cetera) being 
 denied?
Good question... I will  try to reproduce
   Thanks!
  Hello,
  
  I tried to reproduce and it seems to work on *master*.
  I am using the attached ldif file. 
  The test case is to bind as cn=active
  guy,cn=accounts,dc=example,dc=com and to do a modify on
  cn=active otp,cn=otp,dc=example,dc=com.
  
  The modify updates the 'description' attribute and do a
  postread (description, cn).
  
  The write 'description' is allowed by :
  dn: cn=otp,dc=example,dc=com
  aci: (targetfilter =
  (objectclass=organizationalPerson))(target =
  ldap:///c
   n=*,cn=otp,dc=example,dc=com)(targetattr =
  objectclass || description || se
   eAlso)(version 3.0; acl Active user modify otp
  entry; allow (write) userdn
= ldap:///cn=active
  guy,cn=accounts,dc=example,dc=com;)
  
  [09/Oct/2014:22:07:56 +0200] NSACLPlugin - 1.
  Evaluating ALLOW aci(19)  Active user modify otp
  entry
  [09/Oct/2014:22:07:56 +0200] NSACLPlugin - conn=2
  op=16 (main): Allow write on entry(cn=active
  otp,cn=otp,dc=example,dc=com).attr(description) to
  cn=active guy,cn=accounts,dc=example,dc=com: allowed
  by aci(19): aciname= Active user modify otp entry,
  acidn=cn=otp,dc=example,dc=com
  
  
  The postread is allowed by: 
  dn: cn=otp,dc=example,dc=com
  aci: (targetfilter =
  

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Ludwig Krispenz]

https://fedorahosted.org/389/ticket/47924


  is it possible to reproduce without IPA ?

Perhaps. You'd need the OTP schema and ACIs from FreeIPA, unless you can
find another way to reproduce it.
well, did think about it again, we probaly also would need all the 
plugins, so could be difficult



Something curious going on that make ACL_EvalTestRights return
something different that ACL_RES_ALLOW.

 
 Did you already open a ticket for this problem ?
 
 thanks

 thierry




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Nathaniel McCallum]

On Fri, 2014-10-10 at 17:38 +0200, Ludwig Krispenz wrote:
  https://fedorahosted.org/389/ticket/47924
 
is it possible to reproduce without IPA ?
  Perhaps. You'd need the OTP schema and ACIs from FreeIPA, unless you can
  find another way to reproduce it.
 well, did think about it again, we probaly also would need all the 
 plugins, so could be difficult

I'm not sure you need plugins. You do to make OTP authentication work.
But we don't care about that. We just care if add returns the post read
control. That should be doable with just schema and ACIs.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[thierry bordaz]

On 10/10/2014 05:30 PM, Ludwig Krispenz wrote:


On 10/10/2014 05:16 PM, thierry bordaz wrote:

On 10/10/2014 04:38 PM, Ludwig Krispenz wrote:


On 10/10/2014 03:58 PM, thierry bordaz wrote:

On 10/09/2014 10:51 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 22:22 +0200, thierry bordaz wrote:

On 10/09/2014 06:40 PM, Nathaniel McCallum wrote:


On Thu, 2014-10-09 at 18:32 +0200, thierry bordaz wrote:

On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:

On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:


The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users (not
very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying access
to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID

Hello Nathaniel,

  The post read control needs access to the modified entry to
  return it.
  This access is granted at the condition, the binddn can access
  attributes.

Agreed and understood.


  My understanding is that the target entry is
  ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com 
and the binddn uid=otp,cn=users,cn=accounts,dc=example,dc=com.

Correct.


  The only ACI I found that match this target is:
  aci: (targetfilter = (objectClass=ipaToken))
  (targetattrs = objectclass || description || managedBy || 
ipatokenUniqueID || ipatokenDisabled
   || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || 
ipatokenModel || ipatokenSerial || ipatokenOwner)
  (version 3.0; acl Users/managers can read basic token info; allow (read, search, 
compare) userattr = ipatokenOwner#USERDN or userattr = managedBy#USERDN;)

Correct.


  Do you know if the target entry has 'ipatokenOwner' or
  'managedBy' with the binddn value ?

Yes, both. So why is access to objectClass (et cetera) being denied?

Good question... I will  try to reproduce

Thanks!

Hello,

 I tried to reproduce and it seems to work on *master*.
 I am using the attached ldif file.
 The test case is to bind as cn=active
 guy,cn=accounts,dc=example,dc=com and to do a modify on
 cn=active otp,cn=otp,dc=example,dc=com.
 
 The modify updates the 'description' attribute and do a

 postread (description, cn).
 
 The write 'description' is allowed by :

 dn: cn=otp,dc=example,dc=com
 aci: (targetfilter =
 (objectclass=organizationalPerson))(target =
 ldap:///c
  n=*,cn=otp,dc=example,dc=com)(targetattr =
 objectclass || description || se
  eAlso)(version 3.0; acl Active user modify otp
 entry; allow (write) userdn
   =ldap:///cn=active
 guy,cn=accounts,dc=example,dc=com;)
 
 [09/Oct/2014:22:07:56 +0200] NSACLPlugin - 1.

 Evaluating ALLOW aci(19)  Active user modify otp
 entry
 [09/Oct/2014:22:07:56 +0200] NSACLPlugin - conn=2
 op=16 (main): Allow write on entry(cn=active
 otp,cn=otp,dc=example,dc=com).attr(description) to
 cn=active guy,cn=accounts,dc=example,dc=com: allowed
 by aci(19): aciname= Active user modify otp entry,
 acidn=cn=otp,dc=example,dc=com
 
 
 The postread is allowed by:

 dn: cn=otp,dc=example,dc=com
 aci: (targetfilter =
 (objectclass=organizationalPerson)) (targetattr =
 obje
  ctclass || description || seeAlso || cn)(version
 3.0; acl Active user can r
  ead his entries; allow (read, search, compare)
 userattr = seeAlso#USERDN;)
 
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - 1.

 Evaluating ALLOW aci(21)  Active user can read his
 entries
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - Found READ
 ALLOW in cache
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - conn=2
 op=16 (main): Allow read on entry(cn=active
 otp,cn=otp,dc=example,dc=com).attr(cn) to cn=active
 guy,cn=accounts,dc=example,dc=com: cached allow by
 aci(21)
 
 The postread 

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Nathaniel McCallum]

As a result of this ongoing conversation, I have opened two 389 bugs:

1. Post Read - https://fedorahosted.org/389/ticket/47924
2. UUID ACIs - https://fedorahosted.org/389/ticket/47925

On Wed, 2014-10-08 at 17:46 -0400, Nathaniel McCallum wrote:
 The background of this email is this bug:
 https://fedorahosted.org/freeipa/ticket/4456
 
 Attached are two patches which solve this issue for admin users (not
 very helpful, I know). They depend on this fix in 389:
 https://fedorahosted.org/389/ticket/47920
 
 There are two outstanding issues:
 
 1. 389 does not send the post read control for normal users. The
 operation itself succeeds, but no control is sent.
 
 The relevant sections from the log are attached. 389 is denying access
 to the following attributes (* = valid, ! = invalid):
 ! objectClass
 ! ipatokenOTPalgorithm
 ! ipatokenOTPdigits
 * ipatokenOTPkey
 * ipatokenHOTPcounter
 ! ipatokenOwner
 ! managedBy
 ! ipatokenUniqueID
 
 The ACIs allowing access to most of these attributes are here:
 https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90
 
 Note that I am able to query the entry just fine (including all the
 above invalidly restricted attributes). Hence, I know the ACIs are
 working just fine.
 
 Part of the strange thing is that in the post read control request, I
 haven't indicated that I want *any* attributes returned (i.e. I want
 just the DN). So I'm not sure why it is querying all the attributes. I
 would suspect that the proper behavior would be to only check the ACIs
 on attributes that will actually be returned.
 
 2. The second patch (0002) modifies the ACI for normal user token
 addition from this:
 
 aci: (target = ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter
 = (objectClass=ipaToken))(version 3.0; acl Users can create
 self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and
 userattr = managedBy#SELFDN;)
 
 To this:
 
 aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,
 $SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0; acl
 Users can create self-managed tokens; allow (add) userattr =
 ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)
 
 The idea is to allow users to create tokens which will be expanded by
 the UUID plugin. Unfortunately, after the UUID is expanded, the ACIs are
 checked. Since the expanded UUID no longer matches the ACI, the addition
 is denied. Is this truly the correct behavior? I would think that the
 ACIs would be checked before the UUID plugin, not after.
 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Simo Sorce]

On Fri, 10 Oct 2014 17:38:46 +0200
Ludwig Krispenz lkris...@redhat.com wrote:

 
  https://fedorahosted.org/389/ticket/47924
 
is it possible to reproduce without IPA ?
  Perhaps. You'd need the OTP schema and ACIs from FreeIPA, unless
  you can find another way to reproduce it.
 well, did think about it again, we probaly also would need all the 
 plugins, so could be difficult

Just a wild guess, for some reason the post-read evaluation is using
some cached evaluation of the add.
I think the key part here is that we *change* the DN which is key part
in determining the access control.

I wounder if you can reproduce in 389ds using the DNA plugin ?
Use the magic value to generate a number and use the value in the add
and read ACIs so that the ADD works only with the magic value.

HTH,
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Ludwig Krispenz]

aci: (targetfilter = (objectClass=ipaToken))(targetattrs =
objectclass || d
 escription || managedBy || ipatokenUniqueID ||
ipatokenDisabled || ipatokenNo
 tBefore || ipatokenNotAfter || ipatokenVendor ||
ipatokenModel || ipatokenSer
 ial || ipatokenOwner)(version 3.0; acl *Users/managers
can read basic token*
 info; allow (read, search, compare) userattr =
ipatokenOwner#USERDN or use
 rattr = managedBy#USERDN;)

...
[09/Oct/2014:21:34:59 -0400] NSACLPlugin - Processed
attr:managedBy for
entry:ipatokenuniqueid=bar,cn=otp,dc=example,dc=com
[09/Oct/2014:21:34:59 -0400] NSACLPlugin - 1. Evaluating
ALLOW aci(11)  *Users/managers can read basic token info*
[09/Oct/2014:21:34:59 -0400] NSACLPlugin - Found READ SKIP
in cache
[09/Oct/2014:21:34:59 -0400] NSACLPlugin - 2. Evaluating
ALLOW aci(19)  Admin can manage any entry
[09/Oct/2014:21:34:59 -0400] NSACLPlugin - Found READ SKIP
in cache
[09/Oct/2014:21:34:59 -0400] NSACLPlugin - conn=29 op=1
(main): Deny read on
entry(ipatokenuniqueid=bar,cn=otp,dc=example,dc=com).attr(managedBy)
to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci
matched the subject by aci(19): aciname= Admin can manage
any entry, acidn=dc=example,dc=com
[09/Oct/2014:21:34:59 -0400] - process_read_entry_controls:
access to entry not allowed
(ipatokenuniqueid=bar,cn=otp,dc=example,dc=com)

But for some reason, it evaluations of the READ access was not
accepted.

the key is READ SKIP, looks like it is using cached evaluation of the 
acis, where the aci did not apply. aci caching is 


Exact.
well, I think I've been a bit too fast, the READ SKIP is only logged 
from the second attribute on, so caching was ok, but the wrong result 
was cached. What really is strange is these lines:


[09/Oct/2014:21:34:58 -0400] NSACLPlugin - 1. Evaluating ALLOW aci(11)  
Users/managers can read basic token info

[09/Oct/2014:21:34:58 -0400] NSACLPlugin - Attr:ipatokenOwner
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - ACL info: userdnattr does not 
allow ADD permission at level 0.
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - Returning UNDEFINED for 
userdnattr evaluation.


why ADD, why UNDEFINED ?

Now If I create two entries x/y and their associated ipatoken 
tokenX/tokenY and play updating

x update tokenX then y updates tokenY
x update tokenX then x updates tokenY
y update tokenY then x updates tokenX
...
each time I got the postread.

Something curious going on that make ACL_EvalTestRights return 
something different that ACL_RES_ALLOW.




Did you already open a ticket for this problem ?

thanks
thierry







___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[thierry bordaz]

On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:

The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users (not
very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying access
to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID

Hello Nathaniel,

   The post read control needs access to the modified entry to return it.
   This access is granted at the condition, the binddn can access
   attributes.
   My understanding is that the target entry is
   
ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
   and the binddn uid=otp,cn=users,cn=accounts,dc=example,dc=com.

   The only ACI I found that match this target is:

   |aci: (targetfilter=  (objectClass=ipaToken))
   (targetattrs=  objectclass || description || managedBy || ipatokenUniqueID 
|| ipatokenDisabled
 || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || 
ipatokenSerial || ipatokenOwner)
   (version3.0;  aclUsers/managers can read basic token info;  allow(read,  search,  compare)  
userattr=  ipatokenOwner#USERDN  or userattr=  managedBy#USERDN;)|


   Do you know if the target entry has 'ipatokenOwner' or 'managedBy'
   with the binddn value ?



The ACIs allowing access to most of these attributes are here:
https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90

Note that I am able to query the entry just fine (including all the
above invalidly restricted attributes). Hence, I know the ACIs are
working just fine.

Part of the strange thing is that in the post read control request, I
haven't indicated that I want *any* attributes returned (i.e. I want
just the DN). So I'm not sure why it is querying all the attributes. I
would suspect that the proper behavior would be to only check the ACIs
on attributes that will actually be returned.


   It may not querying all attributes, but just search the first one it
   can read.
   As it finds none of them you get the message for all attributes.

   thanks
   thierry



2. The second patch (0002) modifies the ACI for normal user token
addition from this:

aci: (target = ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter
= (objectClass=ipaToken))(version 3.0; acl Users can create
self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and
userattr = managedBy#SELFDN;)

To this:

aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,
$SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0; acl
Users can create self-managed tokens; allow (add) userattr =
ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)

The idea is to allow users to create tokens which will be expanded by
the UUID plugin. Unfortunately, after the UUID is expanded, the ACIs are
checked. Since the expanded UUID no longer matches the ACI, the addition
is denied. Is this truly the correct behavior? I would think that the
ACIs would be checked before the UUID plugin, not after.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Simo Sorce]

On Wed, 08 Oct 2014 17:46:01 -0400
Nathaniel McCallum npmccal...@redhat.com wrote:

 The background of this email is this bug:
 https://fedorahosted.org/freeipa/ticket/4456
 
 Attached are two patches which solve this issue for admin users (not
 very helpful, I know). They depend on this fix in 389:
 https://fedorahosted.org/389/ticket/47920
 
 There are two outstanding issues:
 
 1. 389 does not send the post read control for normal users. The
 operation itself succeeds, but no control is sent.
 
 The relevant sections from the log are attached. 389 is denying access
 to the following attributes (* = valid, ! = invalid):
 ! objectClass
 ! ipatokenOTPalgorithm
 ! ipatokenOTPdigits
 * ipatokenOTPkey
 * ipatokenHOTPcounter
 ! ipatokenOwner
 ! managedBy
 ! ipatokenUniqueID
 
 The ACIs allowing access to most of these attributes are here:
 https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90
 
 Note that I am able to query the entry just fine (including all the
 above invalidly restricted attributes). Hence, I know the ACIs are
 working just fine.
 
 Part of the strange thing is that in the post read control request, I
 haven't indicated that I want *any* attributes returned (i.e. I want
 just the DN). So I'm not sure why it is querying all the attributes. I
 would suspect that the proper behavior would be to only check the ACIs
 on attributes that will actually be returned.

Can you show an example ldif ?
I wonder if you are setting the owner ?

 2. The second patch (0002) modifies the ACI for normal user token
 addition from this:
 
 aci: (target =
 ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter =
 (objectClass=ipaToken))(version 3.0; acl Users can create
 self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN
 and userattr = managedBy#SELFDN;)
 
 To this:
 
 aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,
 $SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0; acl
 Users can create self-managed tokens; allow (add) userattr =
 ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)
 
 The idea is to allow users to create tokens which will be expanded by
 the UUID plugin. Unfortunately, after the UUID is expanded, the ACIs
 are checked. Since the expanded UUID no longer matches the ACI, the
 addition is denied. Is this truly the correct behavior? I would think
 that the ACIs would be checked before the UUID plugin, not after.

I would expect the same, can someone on the DS team comment ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Ludwig Krispenz]

On 10/09/2014 03:13 PM, Simo Sorce wrote:

On Wed, 08 Oct 2014 17:46:01 -0400
Nathaniel McCallum npmccal...@redhat.com wrote:


The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users (not
very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying access
to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID

The ACIs allowing access to most of these attributes are here:
https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90

Note that I am able to query the entry just fine (including all the
above invalidly restricted attributes). Hence, I know the ACIs are
working just fine.

Part of the strange thing is that in the post read control request, I
haven't indicated that I want *any* attributes returned (i.e. I want
just the DN). So I'm not sure why it is querying all the attributes. I
would suspect that the proper behavior would be to only check the ACIs
on attributes that will actually be returned.

Can you show an example ldif ?
I wonder if you are setting the owner ?


2. The second patch (0002) modifies the ACI for normal user token
addition from this:

aci: (target =
ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter =
(objectClass=ipaToken))(version 3.0; acl Users can create
self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN
and userattr = managedBy#SELFDN;)

To this:

aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,
$SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0; acl
Users can create self-managed tokens; allow (add) userattr =
ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)

The idea is to allow users to create tokens which will be expanded by
the UUID plugin. Unfortunately, after the UUID is expanded, the ACIs
are checked. Since the expanded UUID no longer matches the ACI, the
addition is denied. Is this truly the correct behavior? I would think
that the ACIs would be checked before the UUID plugin, not after.

I would expect the same, can someone on the DS team comment ?
acis are always applied before the entry is sent to the client. the 
control is added when the result is sent and for the postop control it 
gets the POST_OP entry and checks read access to teh entry




Simo.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Simo Sorce]

On Thu, 09 Oct 2014 16:06:06 +0200
Ludwig Krispenz lkris...@redhat.com wrote:

 
 On 10/09/2014 03:13 PM, Simo Sorce wrote:
  On Wed, 08 Oct 2014 17:46:01 -0400
  Nathaniel McCallum npmccal...@redhat.com wrote:
 
  The background of this email is this bug:
  https://fedorahosted.org/freeipa/ticket/4456
 
  Attached are two patches which solve this issue for admin users
  (not very helpful, I know). They depend on this fix in 389:
  https://fedorahosted.org/389/ticket/47920
 
  There are two outstanding issues:
 
  1. 389 does not send the post read control for normal users. The
  operation itself succeeds, but no control is sent.
 
  The relevant sections from the log are attached. 389 is denying
  access to the following attributes (* = valid, ! = invalid):
  ! objectClass
  ! ipatokenOTPalgorithm
  ! ipatokenOTPdigits
  * ipatokenOTPkey
  * ipatokenHOTPcounter
  ! ipatokenOwner
  ! managedBy
  ! ipatokenUniqueID
 
  The ACIs allowing access to most of these attributes are here:
  https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90
 
  Note that I am able to query the entry just fine (including all the
  above invalidly restricted attributes). Hence, I know the ACIs are
  working just fine.
 
  Part of the strange thing is that in the post read control
  request, I haven't indicated that I want *any* attributes returned
  (i.e. I want just the DN). So I'm not sure why it is querying all
  the attributes. I would suspect that the proper behavior would be
  to only check the ACIs on attributes that will actually be
  returned.
  Can you show an example ldif ?
  I wonder if you are setting the owner ?
 
  2. The second patch (0002) modifies the ACI for normal user token
  addition from this:
 
  aci: (target =
  ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter =
  (objectClass=ipaToken))(version 3.0; acl Users can create
  self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN
  and userattr = managedBy#SELFDN;)
 
  To this:
 
  aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,
  $SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0; acl
  Users can create self-managed tokens; allow (add) userattr =
  ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)
 
  The idea is to allow users to create tokens which will be expanded
  by the UUID plugin. Unfortunately, after the UUID is expanded, the
  ACIs are checked. Since the expanded UUID no longer matches the
  ACI, the addition is denied. Is this truly the correct behavior? I
  would think that the ACIs would be checked before the UUID plugin,
  not after.
  I would expect the same, can someone on the DS team comment ?
 acis are always applied before the entry is sent to the client. the 
 control is added when the result is sent and for the postop control
 it gets the POST_OP entry and checks read access to teh entry

So you think the whole add was denied because the post-read couldn't
read back the entry ?
Then fixing the read-related issue is all we need ?

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Ludwig Krispenz]

On 10/09/2014 04:27 PM, Simo Sorce wrote:

On Thu, 09 Oct 2014 16:06:06 +0200
Ludwig Krispenz lkris...@redhat.com wrote:


On 10/09/2014 03:13 PM, Simo Sorce wrote:

On Wed, 08 Oct 2014 17:46:01 -0400
Nathaniel McCallum npmccal...@redhat.com wrote:


The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users
(not very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying
access to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID

The ACIs allowing access to most of these attributes are here:
https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90

Note that I am able to query the entry just fine (including all the
above invalidly restricted attributes). Hence, I know the ACIs are
working just fine.

Part of the strange thing is that in the post read control
request, I haven't indicated that I want *any* attributes returned
(i.e. I want just the DN). So I'm not sure why it is querying all
the attributes. I would suspect that the proper behavior would be
to only check the ACIs on attributes that will actually be
returned.

Can you show an example ldif ?
I wonder if you are setting the owner ?


2. The second patch (0002) modifies the ACI for normal user token
addition from this:

aci: (target =
ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter =
(objectClass=ipaToken))(version 3.0; acl Users can create
self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN
and userattr = managedBy#SELFDN;)

To this:

aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,
$SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0; acl
Users can create self-managed tokens; allow (add) userattr =
ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)

The idea is to allow users to create tokens which will be expanded
by the UUID plugin. Unfortunately, after the UUID is expanded, the
ACIs are checked. Since the expanded UUID no longer matches the
ACI, the addition is denied. Is this truly the correct behavior? I
would think that the ACIs would be checked before the UUID plugin,
not after.

I would expect the same, can someone on the DS team comment ?

acis are always applied before the entry is sent to the client. the
control is added when the result is sent and for the postop control
it gets the POST_OP entry and checks read access to teh entry

So you think the whole add was denied because the post-read couldn't
read back the entry ?
as far as I understood Nathaniel, the add succeeded, only the control 
was not returned

Then fixing the read-related issue is all we need ?

you need an aci allowing to read the postop entry


Simo.




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Simo Sorce]

On Thu, 09 Oct 2014 16:33:20 +0200
Ludwig Krispenz lkris...@redhat.com wrote:

 
 On 10/09/2014 04:27 PM, Simo Sorce wrote:
  On Thu, 09 Oct 2014 16:06:06 +0200
  Ludwig Krispenz lkris...@redhat.com wrote:
 
  On 10/09/2014 03:13 PM, Simo Sorce wrote:
  On Wed, 08 Oct 2014 17:46:01 -0400
  Nathaniel McCallum npmccal...@redhat.com wrote:
 
  The background of this email is this bug:
  https://fedorahosted.org/freeipa/ticket/4456
 
  Attached are two patches which solve this issue for admin users
  (not very helpful, I know). They depend on this fix in 389:
  https://fedorahosted.org/389/ticket/47920
 
  There are two outstanding issues:
 
  1. 389 does not send the post read control for normal users. The
  operation itself succeeds, but no control is sent.
 
  The relevant sections from the log are attached. 389 is denying
  access to the following attributes (* = valid, ! = invalid):
  ! objectClass
  ! ipatokenOTPalgorithm
  ! ipatokenOTPdigits
  * ipatokenOTPkey
  * ipatokenHOTPcounter
  ! ipatokenOwner
  ! managedBy
  ! ipatokenUniqueID
 
  The ACIs allowing access to most of these attributes are here:
  https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90
 
  Note that I am able to query the entry just fine (including all
  the above invalidly restricted attributes). Hence, I know the
  ACIs are working just fine.
 
  Part of the strange thing is that in the post read control
  request, I haven't indicated that I want *any* attributes
  returned (i.e. I want just the DN). So I'm not sure why it is
  querying all the attributes. I would suspect that the proper
  behavior would be to only check the ACIs on attributes that will
  actually be returned.
  Can you show an example ldif ?
  I wonder if you are setting the owner ?
 
  2. The second patch (0002) modifies the ACI for normal user token
  addition from this:
 
  aci: (target =
  ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter =
  (objectClass=ipaToken))(version 3.0; acl Users can create
  self-managed tokens; allow (add) userattr =
  ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)
 
  To this:
 
  aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,
  $SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0;
  acl Users can create self-managed tokens; allow (add) userattr
  = ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)
 
  The idea is to allow users to create tokens which will be
  expanded by the UUID plugin. Unfortunately, after the UUID is
  expanded, the ACIs are checked. Since the expanded UUID no
  longer matches the ACI, the addition is denied. Is this truly
  the correct behavior? I would think that the ACIs would be
  checked before the UUID plugin, not after.
  I would expect the same, can someone on the DS team comment ?
  acis are always applied before the entry is sent to the client. the
  control is added when the result is sent and for the postop control
  it gets the POST_OP entry and checks read access to teh entry
  So you think the whole add was denied because the post-read couldn't
  read back the entry ?
 as far as I understood Nathaniel, the add succeeded, only the control 
 was not returned
  Then fixing the read-related issue is all we need ?
 you need an aci allowing to read the postop entry

Btw we could add userattr = creatorsName#SELFDN to the read ACI so that
ipatokenOwner/managedby are not strictly needed for post-read ?
Does it make sense to do ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Ludwig Krispenz]

On 10/09/2014 04:47 PM, Simo Sorce wrote:

On Thu, 09 Oct 2014 16:33:20 +0200
Ludwig Krispenz lkris...@redhat.com wrote:


On 10/09/2014 04:27 PM, Simo Sorce wrote:

On Thu, 09 Oct 2014 16:06:06 +0200
Ludwig Krispenz lkris...@redhat.com wrote:


On 10/09/2014 03:13 PM, Simo Sorce wrote:

On Wed, 08 Oct 2014 17:46:01 -0400
Nathaniel McCallum npmccal...@redhat.com wrote:


The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users
(not very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying
access to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID

The ACIs allowing access to most of these attributes are here:
https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90

Note that I am able to query the entry just fine (including all
the above invalidly restricted attributes). Hence, I know the
ACIs are working just fine.

Part of the strange thing is that in the post read control
request, I haven't indicated that I want *any* attributes
returned (i.e. I want just the DN). So I'm not sure why it is
querying all the attributes. I would suspect that the proper
behavior would be to only check the ACIs on attributes that will
actually be returned.

Can you show an example ldif ?
I wonder if you are setting the owner ?


2. The second patch (0002) modifies the ACI for normal user token
addition from this:

aci: (target =
ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter =
(objectClass=ipaToken))(version 3.0; acl Users can create
self-managed tokens; allow (add) userattr =
ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)

To this:

aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,
$SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0;
acl Users can create self-managed tokens; allow (add) userattr
= ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)

The idea is to allow users to create tokens which will be
expanded by the UUID plugin. Unfortunately, after the UUID is
expanded, the ACIs are checked. Since the expanded UUID no
longer matches the ACI, the addition is denied. Is this truly
the correct behavior? I would think that the ACIs would be
checked before the UUID plugin, not after.

I would expect the same, can someone on the DS team comment ?

acis are always applied before the entry is sent to the client. the
control is added when the result is sent and for the postop control
it gets the POST_OP entry and checks read access to teh entry

So you think the whole add was denied because the post-read couldn't
read back the entry ?

as far as I understood Nathaniel, the add succeeded, only the control
was not returned

Then fixing the read-related issue is all we need ?

you need an aci allowing to read the postop entry

Btw we could add userattr = creatorsName#SELFDN to the read ACI so that
ipatokenOwner/managedby are not strictly needed for post-read ?
Does it make sense to do ?
I'm not sure, are there cases when tokenOwner is not set or different 
from selfdn ? Could anyone else create the token for another user (an 
admin )?
I don't see what the entry really looked like when trying to create the 
control, and who was self in that scenario. In Nathaniel's post access 
was denied to uid=otp, is this the tokenwoner ?




Simo.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Nathaniel McCallum]

On Thu, 2014-10-09 at 16:33 +0200, Ludwig Krispenz wrote:
 On 10/09/2014 04:27 PM, Simo Sorce wrote:
  On Thu, 09 Oct 2014 16:06:06 +0200
  Ludwig Krispenz lkris...@redhat.com wrote:
 
  On 10/09/2014 03:13 PM, Simo Sorce wrote:
  On Wed, 08 Oct 2014 17:46:01 -0400
  Nathaniel McCallum npmccal...@redhat.com wrote:
 
  The background of this email is this bug:
  https://fedorahosted.org/freeipa/ticket/4456
 
  Attached are two patches which solve this issue for admin users
  (not very helpful, I know). They depend on this fix in 389:
  https://fedorahosted.org/389/ticket/47920
 
  There are two outstanding issues:
 
  1. 389 does not send the post read control for normal users. The
  operation itself succeeds, but no control is sent.
 
  The relevant sections from the log are attached. 389 is denying
  access to the following attributes (* = valid, ! = invalid):
  ! objectClass
  ! ipatokenOTPalgorithm
  ! ipatokenOTPdigits
  * ipatokenOTPkey
  * ipatokenHOTPcounter
  ! ipatokenOwner
  ! managedBy
  ! ipatokenUniqueID
 
  The ACIs allowing access to most of these attributes are here:
  https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90
 
  Note that I am able to query the entry just fine (including all the
  above invalidly restricted attributes). Hence, I know the ACIs are
  working just fine.
 
  Part of the strange thing is that in the post read control
  request, I haven't indicated that I want *any* attributes returned
  (i.e. I want just the DN). So I'm not sure why it is querying all
  the attributes. I would suspect that the proper behavior would be
  to only check the ACIs on attributes that will actually be
  returned.
  Can you show an example ldif ?
  I wonder if you are setting the owner ?

This is the ldif I used:
dn: ipatokenuniqueid=autogenerate,cn=otp,dc=example,dc=com
changetype: add
objectClass: top
objectClass: ipaToken
objectClass: ipaTokenHOTP
ipatokenUniqueID: autogenerate
ipatokenOTPalgorithm: sha1
ipatokenOTPdigits: 6
ipatokenOTPkey: 
ipatokenHOTPcounter: 0
ipatokenOwner: uid=otp,cn=users,cn=accounts,dc=example,dc=com
managedBy: uid=otp,cn=users,cn=accounts,dc=example,dc=com

  2. The second patch (0002) modifies the ACI for normal user token
  addition from this:
 
  aci: (target =
  ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter =
  (objectClass=ipaToken))(version 3.0; acl Users can create
  self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN
  and userattr = managedBy#SELFDN;)
 
  To this:
 
  aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,
  $SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0; acl
  Users can create self-managed tokens; allow (add) userattr =
  ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)
 
  The idea is to allow users to create tokens which will be expanded
  by the UUID plugin. Unfortunately, after the UUID is expanded, the
  ACIs are checked. Since the expanded UUID no longer matches the
  ACI, the addition is denied. Is this truly the correct behavior? I
  would think that the ACIs would be checked before the UUID plugin,
  not after.
  I would expect the same, can someone on the DS team comment ?
  acis are always applied before the entry is sent to the client. the
  control is added when the result is sent and for the postop control
  it gets the POST_OP entry and checks read access to teh entry
  So you think the whole add was denied because the post-read couldn't
  read back the entry ?
 as far as I understood Nathaniel, the add succeeded, only the control 
 was not returned
  Then fixing the read-related issue is all we need ?
 you need an aci allowing to read the postop entry

No. Issue #2 is unrelated to issue #1. In issue #2, the add itself
fails.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Ludwig Krispenz]

On 10/09/2014 05:51 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 16:33 +0200, Ludwig Krispenz wrote:

On 10/09/2014 04:27 PM, Simo Sorce wrote:

On Thu, 09 Oct 2014 16:06:06 +0200
Ludwig Krispenz lkris...@redhat.com wrote:


On 10/09/2014 03:13 PM, Simo Sorce wrote:

On Wed, 08 Oct 2014 17:46:01 -0400
Nathaniel McCallum npmccal...@redhat.com wrote:


The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users
(not very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying
access to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID

The ACIs allowing access to most of these attributes are here:
https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90

Note that I am able to query the entry just fine (including all the
above invalidly restricted attributes). Hence, I know the ACIs are
working just fine.

Part of the strange thing is that in the post read control
request, I haven't indicated that I want *any* attributes returned
(i.e. I want just the DN). So I'm not sure why it is querying all
the attributes. I would suspect that the proper behavior would be
to only check the ACIs on attributes that will actually be
returned.

Can you show an example ldif ?
I wonder if you are setting the owner ?

This is the ldif I used:
dn: ipatokenuniqueid=autogenerate,cn=otp,dc=example,dc=com
changetype: add
objectClass: top
objectClass: ipaToken
objectClass: ipaTokenHOTP
ipatokenUniqueID: autogenerate
ipatokenOTPalgorithm: sha1
ipatokenOTPdigits: 6
ipatokenOTPkey: 
ipatokenHOTPcounter: 0
ipatokenOwner: uid=otp,cn=users,cn=accounts,dc=example,dc=com
managedBy: uid=otp,cn=users,cn=accounts,dc=example,dc=com


2. The second patch (0002) modifies the ACI for normal user token
addition from this:

aci: (target =
ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter =
(objectClass=ipaToken))(version 3.0; acl Users can create
self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN
and userattr = managedBy#SELFDN;)

To this:

aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,
$SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0; acl
Users can create self-managed tokens; allow (add) userattr =
ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)

The idea is to allow users to create tokens which will be expanded
by the UUID plugin. Unfortunately, after the UUID is expanded, the
ACIs are checked. Since the expanded UUID no longer matches the
ACI, the addition is denied. Is this truly the correct behavior? I
would think that the ACIs would be checked before the UUID plugin,
not after.

I would expect the same, can someone on the DS team comment ?

acis are always applied before the entry is sent to the client. the
control is added when the result is sent and for the postop control
it gets the POST_OP entry and checks read access to teh entry

So you think the whole add was denied because the post-read couldn't
read back the entry ?

as far as I understood Nathaniel, the add succeeded, only the control
was not returned

Then fixing the read-related issue is all we need ?

you need an aci allowing to read the postop entry

No. Issue #2 is unrelated to issue #1. In issue #2, the add itself
fails.
is this because of the change from tokenuiqieid=* to 
tokenuniqueid=autogenerate in the aci, why not stick to*




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Nathaniel McCallum]

On Thu, 2014-10-09 at 18:01 +0200, Ludwig Krispenz wrote:
 On 10/09/2014 05:51 PM, Nathaniel McCallum wrote:
  On Thu, 2014-10-09 at 16:33 +0200, Ludwig Krispenz wrote:
  On 10/09/2014 04:27 PM, Simo Sorce wrote:
  On Thu, 09 Oct 2014 16:06:06 +0200
  Ludwig Krispenz lkris...@redhat.com wrote:
 
  On 10/09/2014 03:13 PM, Simo Sorce wrote:
  On Wed, 08 Oct 2014 17:46:01 -0400
  Nathaniel McCallum npmccal...@redhat.com wrote:
 
  The background of this email is this bug:
  https://fedorahosted.org/freeipa/ticket/4456
 
  Attached are two patches which solve this issue for admin users
  (not very helpful, I know). They depend on this fix in 389:
  https://fedorahosted.org/389/ticket/47920
 
  There are two outstanding issues:
 
  1. 389 does not send the post read control for normal users. The
  operation itself succeeds, but no control is sent.
 
  The relevant sections from the log are attached. 389 is denying
  access to the following attributes (* = valid, ! = invalid):
  ! objectClass
  ! ipatokenOTPalgorithm
  ! ipatokenOTPdigits
  * ipatokenOTPkey
  * ipatokenHOTPcounter
  ! ipatokenOwner
  ! managedBy
  ! ipatokenUniqueID
 
  The ACIs allowing access to most of these attributes are here:
  https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90
 
  Note that I am able to query the entry just fine (including all the
  above invalidly restricted attributes). Hence, I know the ACIs are
  working just fine.
 
  Part of the strange thing is that in the post read control
  request, I haven't indicated that I want *any* attributes returned
  (i.e. I want just the DN). So I'm not sure why it is querying all
  the attributes. I would suspect that the proper behavior would be
  to only check the ACIs on attributes that will actually be
  returned.
  Can you show an example ldif ?
  I wonder if you are setting the owner ?
  This is the ldif I used:
  dn: ipatokenuniqueid=autogenerate,cn=otp,dc=example,dc=com
  changetype: add
  objectClass: top
  objectClass: ipaToken
  objectClass: ipaTokenHOTP
  ipatokenUniqueID: autogenerate
  ipatokenOTPalgorithm: sha1
  ipatokenOTPdigits: 6
  ipatokenOTPkey: 
  ipatokenHOTPcounter: 0
  ipatokenOwner: uid=otp,cn=users,cn=accounts,dc=example,dc=com
  managedBy: uid=otp,cn=users,cn=accounts,dc=example,dc=com
 
  2. The second patch (0002) modifies the ACI for normal user token
  addition from this:
 
  aci: (target =
  ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter =
  (objectClass=ipaToken))(version 3.0; acl Users can create
  self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN
  and userattr = managedBy#SELFDN;)
 
  To this:
 
  aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,
  $SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0; acl
  Users can create self-managed tokens; allow (add) userattr =
  ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)
 
  The idea is to allow users to create tokens which will be expanded
  by the UUID plugin. Unfortunately, after the UUID is expanded, the
  ACIs are checked. Since the expanded UUID no longer matches the
  ACI, the addition is denied. Is this truly the correct behavior? I
  would think that the ACIs would be checked before the UUID plugin,
  not after.
  I would expect the same, can someone on the DS team comment ?
  acis are always applied before the entry is sent to the client. the
  control is added when the result is sent and for the postop control
  it gets the POST_OP entry and checks read access to teh entry
  So you think the whole add was denied because the post-read couldn't
  read back the entry ?
  as far as I understood Nathaniel, the add succeeded, only the control
  was not returned
  Then fixing the read-related issue is all we need ?
  you need an aci allowing to read the postop entry
  No. Issue #2 is unrelated to issue #1. In issue #2, the add itself
  fails.
 is this because of the change from tokenuiqieid=* to 
 tokenuniqueid=autogenerate in the aci?

Yes.

  why not stick to*

Because all of this work is done precisely to change from * to
autogenerate. The goal is to make it so that ordinary users can only
create autogenerated token IDs while admins can specify their own custom
token IDs.

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Nathaniel McCallum]

On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:
 On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:
 
  The background of this email is this bug:
  https://fedorahosted.org/freeipa/ticket/4456
  
  Attached are two patches which solve this issue for admin users (not
  very helpful, I know). They depend on this fix in 389:
  https://fedorahosted.org/389/ticket/47920
  
  There are two outstanding issues:
  
  1. 389 does not send the post read control for normal users. The
  operation itself succeeds, but no control is sent.
  
  The relevant sections from the log are attached. 389 is denying access
  to the following attributes (* = valid, ! = invalid):
  ! objectClass
  ! ipatokenOTPalgorithm
  ! ipatokenOTPdigits
  * ipatokenOTPkey
  * ipatokenHOTPcounter
  ! ipatokenOwner
  ! managedBy
  ! ipatokenUniqueID
 Hello Nathaniel,
 
 The post read control needs access to the modified entry to
 return it.
 This access is granted at the condition, the binddn can access
 attributes.

Agreed and understood.

 My understanding is that the target entry is
 
 ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
  and the binddn uid=otp,cn=users,cn=accounts,dc=example,dc=com.

Correct.

 The only ACI I found that match this target is:
 aci: (targetfilter = (objectClass=ipaToken))
 (targetattrs = objectclass || description || managedBy || 
 ipatokenUniqueID || ipatokenDisabled 
  || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || 
 ipatokenModel || ipatokenSerial || ipatokenOwner)
 (version 3.0; acl Users/managers can read basic token info; allow 
 (read, search, compare) userattr = ipatokenOwner#USERDN or userattr = 
 managedBy#USERDN;)

Correct.

 Do you know if the target entry has 'ipatokenOwner' or
 'managedBy' with the binddn value ?

Yes, both. So why is access to objectClass (et cetera) being denied?

  The ACIs allowing access to most of these attributes are here:
  https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90
  
  Note that I am able to query the entry just fine (including all the
  above invalidly restricted attributes). Hence, I know the ACIs are
  working just fine.
  
  Part of the strange thing is that in the post read control request, I
  haven't indicated that I want *any* attributes returned (i.e. I want
  just the DN). So I'm not sure why it is querying all the attributes. I
  would suspect that the proper behavior would be to only check the ACIs
  on attributes that will actually be returned.
 It may not querying all attributes, but just search the first
 one it can read.
 As it finds none of them you get the message for all
 attributes.

Right, but why iterate through all possible attributes? It should only
iterate through the attributes requested. Whether the user can read a
non-requested attribute or not is irrelevant because the attribute was
not requested.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[thierry bordaz]

On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:

On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:


The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users (not
very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying access
to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID

Hello Nathaniel,

 The post read control needs access to the modified entry to
 return it.
 This access is granted at the condition, the binddn can access
 attributes.

Agreed and understood.


 My understanding is that the target entry is
 ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com 
and the binddn uid=otp,cn=users,cn=accounts,dc=example,dc=com.

Correct.


 The only ACI I found that match this target is:
 aci: (targetfilter = (objectClass=ipaToken))
 (targetattrs = objectclass || description || managedBy || 
ipatokenUniqueID || ipatokenDisabled
  || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || 
ipatokenModel || ipatokenSerial || ipatokenOwner)
 (version 3.0; acl Users/managers can read basic token info; allow (read, search, 
compare) userattr = ipatokenOwner#USERDN or userattr = managedBy#USERDN;)

Correct.


 Do you know if the target entry has 'ipatokenOwner' or
 'managedBy' with the binddn value ?

Yes, both. So why is access to objectClass (et cetera) being denied?

Good question... I will  try to reproduce



The ACIs allowing access to most of these attributes are here:
https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90

Note that I am able to query the entry just fine (including all the
above invalidly restricted attributes). Hence, I know the ACIs are
working just fine.

Part of the strange thing is that in the post read control request, I
haven't indicated that I want *any* attributes returned (i.e. I want
just the DN). So I'm not sure why it is querying all the attributes. I
would suspect that the proper behavior would be to only check the ACIs
on attributes that will actually be returned.

 It may not querying all attributes, but just search the first
 one it can read.
 As it finds none of them you get the message for all
 attributes.

Right, but why iterate through all possible attributes? It should only
iterate through the attributes requested. Whether the user can read a
non-requested attribute or not is irrelevant because the attribute was
not requested.
I think it is iterating from the attributes in the entry. Searching the 
first one that the authenticated subject is allowed to read.


thanks
thierry

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Ludwig Krispenz]

On 10/09/2014 06:32 PM, thierry bordaz wrote:

On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:

On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:


The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users (not
very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying access
to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID

Hello Nathaniel,

 The post read control needs access to the modified entry to
 return it.
 This access is granted at the condition, the binddn can access
 attributes.

Agreed and understood.


 My understanding is that the target entry is
ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com 
and the binddn uid=otp,cn=users,cn=accounts,dc=example,dc=com.

Correct.


 The only ACI I found that match this target is:
 aci: (targetfilter = (objectClass=ipaToken))
 (targetattrs = objectclass || description || managedBy || 
ipatokenUniqueID || ipatokenDisabled
  || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor 
|| ipatokenModel || ipatokenSerial || ipatokenOwner)
 (version 3.0; acl Users/managers can read basic token 
info; allow (read, search, compare) userattr = 
ipatokenOwner#USERDN or userattr = managedBy#USERDN;)

Correct.


 Do you know if the target entry has 'ipatokenOwner' or
 'managedBy' with the binddn value ?

Yes, both. So why is access to objectClass (et cetera) being denied?
Good question... 

+1
could you post the full aci logging not only the summary for the access 
to the attributes ?

I will  try to reproduce



The ACIs allowing access to most of these attributes are here:
https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90 



Note that I am able to query the entry just fine (including all the
above invalidly restricted attributes). Hence, I know the ACIs are
working just fine.

Part of the strange thing is that in the post read control request, I
haven't indicated that I want *any* attributes returned (i.e. I want
just the DN). So I'm not sure why it is querying all the attributes. I
would suspect that the proper behavior would be to only check the ACIs
on attributes that will actually be returned.

 It may not querying all attributes, but just search the first
 one it can read.
 As it finds none of them you get the message for all
 attributes.

Right, but why iterate through all possible attributes? It should only
iterate through the attributes requested. Whether the user can read a
non-requested attribute or not is irrelevant because the attribute was
not requested.
I think it is iterating from the attributes in the entry. Searching 
the first one that the authenticated subject is allowed to read.


thanks
thierry



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Nathaniel McCallum]

On Thu, 2014-10-09 at 18:32 +0200, thierry bordaz wrote:
 On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:
  On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:
  On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:
 
  The background of this email is this bug:
  https://fedorahosted.org/freeipa/ticket/4456
 
  Attached are two patches which solve this issue for admin users (not
  very helpful, I know). They depend on this fix in 389:
  https://fedorahosted.org/389/ticket/47920
 
  There are two outstanding issues:
 
  1. 389 does not send the post read control for normal users. The
  operation itself succeeds, but no control is sent.
 
  The relevant sections from the log are attached. 389 is denying access
  to the following attributes (* = valid, ! = invalid):
  ! objectClass
  ! ipatokenOTPalgorithm
  ! ipatokenOTPdigits
  * ipatokenOTPkey
  * ipatokenHOTPcounter
  ! ipatokenOwner
  ! managedBy
  ! ipatokenUniqueID
  Hello Nathaniel,
 
   The post read control needs access to the modified entry to
   return it.
   This access is granted at the condition, the binddn can access
   attributes.
  Agreed and understood.
 
   My understanding is that the target entry is
   
  ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
   and the binddn uid=otp,cn=users,cn=accounts,dc=example,dc=com.
  Correct.
 
   The only ACI I found that match this target is:
   aci: (targetfilter = (objectClass=ipaToken))
   (targetattrs = objectclass || description || managedBy || 
  ipatokenUniqueID || ipatokenDisabled
|| ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || 
  ipatokenModel || ipatokenSerial || ipatokenOwner)
   (version 3.0; acl Users/managers can read basic token info; 
  allow (read, search, compare) userattr = ipatokenOwner#USERDN or 
  userattr = managedBy#USERDN;)
  Correct.
 
   Do you know if the target entry has 'ipatokenOwner' or
   'managedBy' with the binddn value ?
  Yes, both. So why is access to objectClass (et cetera) being denied?
 Good question... I will  try to reproduce

Thanks!

  The ACIs allowing access to most of these attributes are here:
  https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90
 
  Note that I am able to query the entry just fine (including all the
  above invalidly restricted attributes). Hence, I know the ACIs are
  working just fine.
 
  Part of the strange thing is that in the post read control request, I
  haven't indicated that I want *any* attributes returned (i.e. I want
  just the DN). So I'm not sure why it is querying all the attributes. I
  would suspect that the proper behavior would be to only check the ACIs
  on attributes that will actually be returned.
   It may not querying all attributes, but just search the first
   one it can read.
   As it finds none of them you get the message for all
   attributes.
  Right, but why iterate through all possible attributes? It should only
  iterate through the attributes requested. Whether the user can read a
  non-requested attribute or not is irrelevant because the attribute was
  not requested.
 I think it is iterating from the attributes in the entry. Searching the 
 first one that the authenticated subject is allowed to read.

I agree. The question is: why?

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Nathaniel McCallum]

On Thu, 2014-10-09 at 18:38 +0200, Ludwig Krispenz wrote:
 On 10/09/2014 06:32 PM, thierry bordaz wrote:
  On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:
  On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:
  On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:
 
  The background of this email is this bug:
  https://fedorahosted.org/freeipa/ticket/4456
 
  Attached are two patches which solve this issue for admin users (not
  very helpful, I know). They depend on this fix in 389:
  https://fedorahosted.org/389/ticket/47920
 
  There are two outstanding issues:
 
  1. 389 does not send the post read control for normal users. The
  operation itself succeeds, but no control is sent.
 
  The relevant sections from the log are attached. 389 is denying access
  to the following attributes (* = valid, ! = invalid):
  ! objectClass
  ! ipatokenOTPalgorithm
  ! ipatokenOTPdigits
  * ipatokenOTPkey
  * ipatokenHOTPcounter
  ! ipatokenOwner
  ! managedBy
  ! ipatokenUniqueID
  Hello Nathaniel,
 
   The post read control needs access to the modified entry to
   return it.
   This access is granted at the condition, the binddn can access
   attributes.
  Agreed and understood.
 
   My understanding is that the target entry is
  ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
   
  and the binddn uid=otp,cn=users,cn=accounts,dc=example,dc=com.
  Correct.
 
   The only ACI I found that match this target is:
   aci: (targetfilter = (objectClass=ipaToken))
   (targetattrs = objectclass || description || managedBy || 
  ipatokenUniqueID || ipatokenDisabled
|| ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor 
  || ipatokenModel || ipatokenSerial || ipatokenOwner)
   (version 3.0; acl Users/managers can read basic token 
  info; allow (read, search, compare) userattr = 
  ipatokenOwner#USERDN or userattr = managedBy#USERDN;)
  Correct.
 
   Do you know if the target entry has 'ipatokenOwner' or
   'managedBy' with the binddn value ?
  Yes, both. So why is access to objectClass (et cetera) being denied?
  Good question... 
 +1
 could you post the full aci logging not only the summary for the access 
 to the attributes ?

Attached.
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
cn=anonymous-limits,cn=etc,dc=example,dc=com for 
(|(objectclass=*)(objectclass=ldapsubentry)) with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
uid=otp,cn=users,cn=accounts,dc=example,dc=com for 
(|(objectclass=*)(objectclass=ldapsubentry)) with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of 
service reference
[08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of 
service reference
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com for 
(|(objectclass=*)(objectclass=ldapsubentry)) with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] ipa-lockout-plugin - preop returning 0: success
 
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
uid=otp,cn=users,cn=accounts,dc=example,dc=com for 
(|(objectclass=*)(objectclass=ldapsubentry)) with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] ipa-pwd-extop - Attempting OTP authentication for 
'uid=otp,cn=users,cn=accounts,dc=example,dc=com'.
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
dc=example,dc=com for 
((|(objectClass=ipaTokenTOTP)(objectClass=ipaTokenHOTP))(ipatokenOwner=uid=otp,cn=users,cn=accounts,dc=example,dc=com)(|(ipatokenNotBefore=20141008205439Z)(!(ipatokenNotBefore=*)))(|(ipatokenNotAfter=20141008205439Z)(!(ipatokenNotAfter=*)))(|(ipatokenDisabled=FALSE)(!(ipatokenDisabled=*
 with scope 2 (sub)
[08/Oct/2014:16:54:39 -0400] ipa-pwd-extop - kerberos key already present in 
user entry: uid=otp,cn=users,cn=accounts,dc=example,dc=com
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
uid=otp,cn=users,cn=accounts,dc=example,dc=com for 
(|(objectclass=*)(objectclass=ldapsubentry)) with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
uid=otp,cn=users,cn=accounts,dc=example,dc=com for 
(|(objectclass=*)(objectclass=ldapsubentry)) with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
cn=anonymous-limits,cn=etc,dc=example,dc=com for 
(|(objectclass=*)(objectclass=ldapsubentry)) with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of 
service reference
[08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of 
service reference
[08/Oct/2014:16:54:39 -0400] ipa-range-check - Not an ID range object, nothing 
to do.
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com for 
(|(objectclass=*)(objectclass=ldapsubentry)) with 

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Ludwig Krispenz]

On 10/09/2014 06:53 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 18:38 +0200, Ludwig Krispenz wrote:

On 10/09/2014 06:32 PM, thierry bordaz wrote:

On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:

On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:


The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users (not
very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying access
to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID

Hello Nathaniel,

  The post read control needs access to the modified entry to
  return it.
  This access is granted at the condition, the binddn can access
  attributes.

Agreed and understood.


  My understanding is that the target entry is
ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
and the binddn uid=otp,cn=users,cn=accounts,dc=example,dc=com.

Correct.


  The only ACI I found that match this target is:
  aci: (targetfilter = (objectClass=ipaToken))
  (targetattrs = objectclass || description || managedBy ||
ipatokenUniqueID || ipatokenDisabled
   || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor
|| ipatokenModel || ipatokenSerial || ipatokenOwner)
  (version 3.0; acl Users/managers can read basic token
info; allow (read, search, compare) userattr =
ipatokenOwner#USERDN or userattr = managedBy#USERDN;)

Correct.


  Do you know if the target entry has 'ipatokenOwner' or
  'managedBy' with the binddn value ?

Yes, both. So why is access to objectClass (et cetera) being denied?

Good question...

+1
could you post the full aci logging not only the summary for the access
to the attributes ?

Attached.
this doesn't look like full acl logging, did you set errorlog-level to 
include 128 ?


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[thierry bordaz]

On 10/09/2014 06:40 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 18:32 +0200, thierry bordaz wrote:

On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:

On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:


The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users (not
very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying access
to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID

Hello Nathaniel,

  The post read control needs access to the modified entry to
  return it.
  This access is granted at the condition, the binddn can access
  attributes.

Agreed and understood.


  My understanding is that the target entry is
  ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com 
and the binddn uid=otp,cn=users,cn=accounts,dc=example,dc=com.

Correct.


  The only ACI I found that match this target is:
  aci: (targetfilter = (objectClass=ipaToken))
  (targetattrs = objectclass || description || managedBy || 
ipatokenUniqueID || ipatokenDisabled
   || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || 
ipatokenModel || ipatokenSerial || ipatokenOwner)
  (version 3.0; acl Users/managers can read basic token info; allow (read, search, 
compare) userattr = ipatokenOwner#USERDN or userattr = managedBy#USERDN;)

Correct.


  Do you know if the target entry has 'ipatokenOwner' or
  'managedBy' with the binddn value ?

Yes, both. So why is access to objectClass (et cetera) being denied?

Good question... I will  try to reproduce

Thanks!


Hello,

   I tried to reproduce and it seems to work on *master*.
   I am using the attached ldif file.
   The test case is to bind as cn=active
   guy,cn=accounts,dc=example,dc=com and to do a modify on cn=active
   otp,cn=otp,dc=example,dc=com.

   The modify updates the 'description' attribute and do a postread
   (description, cn).

   The write 'description' is allowed by :

   dn: cn=otp,dc=example,dc=com
   aci: (targetfilter =
   (objectclass=organizationalPerson))(target = ldap:///c
 n=*,cn=otp,dc=example,dc=com)(targetattr = objectclass ||
   description || se
 eAlso)(version 3.0; acl Active user modify otp entry; allow
   (write) userdn
  = ldap:///cn=active guy,cn=accounts,dc=example,dc=com;)

   [09/Oct/2014:22:07:56 +0200] NSACLPlugin - 1. Evaluating ALLOW
   aci(19)  Active user modify otp entry
   [09/Oct/2014:22:07:56 +0200] NSACLPlugin - conn=2 op=16 (main):
   Allow write on entry(cn=active
   otp,cn=otp,dc=example,dc=com).attr(description) to cn=active
   guy,cn=accounts,dc=example,dc=com: allowed by aci(19): aciname=
   Active user modify otp entry, acidn=cn=otp,dc=example,dc=com



   The postread is allowed by:

   dn: cn=otp,dc=example,dc=com
   aci: (targetfilter = (objectclass=organizationalPerson))
   (targetattr = obje
 ctclass || description || seeAlso || cn)(version 3.0; acl
   Active user can r
 ead his entries; allow (read, search, compare) userattr =
   seeAlso#USERDN;)

   [09/Oct/2014:22:07:58 +0200] NSACLPlugin - 1. Evaluating ALLOW
   aci(21)  Active user can read his entries
   [09/Oct/2014:22:07:58 +0200] NSACLPlugin - Found READ ALLOW in cache
   [09/Oct/2014:22:07:58 +0200] NSACLPlugin - conn=2 op=16 (main):
   Allow read on entry(cn=active
   otp,cn=otp,dc=example,dc=com).attr(cn) to cn=active
   guy,cn=accounts,dc=example,dc=com: cached allow by aci(21)


   The postread works if I use USERDN or SELFDN.

   Please let me know the version of 389-ds that you are testing, I
   will try on that branch

   thanks
   thierry




The ACIs allowing access to most of these attributes are here:
https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90

Note that I am able to query the entry just fine (including all the
above invalidly restricted attributes). Hence, I know the ACIs are
working just fine.

Part of the strange thing is that in the post read control request, I
haven't indicated that I want *any* attributes returned (i.e. I want
just the DN). So I'm not sure why it is querying all the attributes. I
would suspect that the proper behavior would be to only check the ACIs
on attributes that will actually be returned.

  It may not querying all attributes, but just search the first
 

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Nathaniel McCallum]

On Thu, 2014-10-09 at 22:22 +0200, thierry bordaz wrote:
 On 10/09/2014 06:40 PM, Nathaniel McCallum wrote:
 
  On Thu, 2014-10-09 at 18:32 +0200, thierry bordaz wrote:
   On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:
On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:
 On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:
 
  The background of this email is this bug:
  https://fedorahosted.org/freeipa/ticket/4456
  
  Attached are two patches which solve this issue for admin users (not
  very helpful, I know). They depend on this fix in 389:
  https://fedorahosted.org/389/ticket/47920
  
  There are two outstanding issues:
  
  1. 389 does not send the post read control for normal users. The
  operation itself succeeds, but no control is sent.
  
  The relevant sections from the log are attached. 389 is denying 
  access
  to the following attributes (* = valid, ! = invalid):
  ! objectClass
  ! ipatokenOTPalgorithm
  ! ipatokenOTPdigits
  * ipatokenOTPkey
  * ipatokenHOTPcounter
  ! ipatokenOwner
  ! managedBy
  ! ipatokenUniqueID
 Hello Nathaniel,
 
  The post read control needs access to the modified entry to
  return it.
  This access is granted at the condition, the binddn can 
 access
  attributes.
Agreed and understood.

  My understanding is that the target entry is
  
 ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
  and the binddn uid=otp,cn=users,cn=accounts,dc=example,dc=com.
Correct.

  The only ACI I found that match this target is:
  aci: (targetfilter = (objectClass=ipaToken))
  (targetattrs = objectclass || description || managedBy || 
 ipatokenUniqueID || ipatokenDisabled
   || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor 
 || ipatokenModel || ipatokenSerial || ipatokenOwner)
  (version 3.0; acl Users/managers can read basic token 
 info; allow (read, search, compare) userattr = 
 ipatokenOwner#USERDN or userattr = managedBy#USERDN;)
Correct.

  Do you know if the target entry has 'ipatokenOwner' or
  'managedBy' with the binddn value ?
Yes, both. So why is access to objectClass (et cetera) being denied?
   Good question... I will  try to reproduce
  Thanks!
 
 Hello,
 
 I tried to reproduce and it seems to work on *master*.
 I am using the attached ldif file. 
 The test case is to bind as cn=active
 guy,cn=accounts,dc=example,dc=com and to do a modify on
 cn=active otp,cn=otp,dc=example,dc=com.
 
 The modify updates the 'description' attribute and do a
 postread (description, cn).
 
 The write 'description' is allowed by :
 dn: cn=otp,dc=example,dc=com
 aci: (targetfilter =
 (objectclass=organizationalPerson))(target =
 ldap:///c
  n=*,cn=otp,dc=example,dc=com)(targetattr =
 objectclass || description || se
  eAlso)(version 3.0; acl Active user modify otp
 entry; allow (write) userdn
   = ldap:///cn=active
 guy,cn=accounts,dc=example,dc=com;)
 
 [09/Oct/2014:22:07:56 +0200] NSACLPlugin - 1.
 Evaluating ALLOW aci(19)  Active user modify otp
 entry
 [09/Oct/2014:22:07:56 +0200] NSACLPlugin - conn=2
 op=16 (main): Allow write on entry(cn=active
 otp,cn=otp,dc=example,dc=com).attr(description) to
 cn=active guy,cn=accounts,dc=example,dc=com: allowed
 by aci(19): aciname= Active user modify otp entry,
 acidn=cn=otp,dc=example,dc=com
 
 
 The postread is allowed by: 
 dn: cn=otp,dc=example,dc=com
 aci: (targetfilter =
 (objectclass=organizationalPerson)) (targetattr =
 obje
  ctclass || description || seeAlso || cn)(version
 3.0; acl Active user can r
  ead his entries; allow (read, search, compare)
 userattr = seeAlso#USERDN;)
 
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - 1.
 Evaluating ALLOW aci(21)  Active user can read his
 entries
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - Found READ
 ALLOW in cache
 [09/Oct/2014:22:07:58 +0200] NSACLPlugin - conn=2
 op=16 (main): Allow read on entry(cn=active
 otp,cn=otp,dc=example,dc=com).attr(cn) to cn=active
 guy,cn=accounts,dc=example,dc=com: cached allow by
 aci(21)
  

[Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

[Nathaniel McCallum]

The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456

Attached are two patches which solve this issue for admin users (not
very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920

There are two outstanding issues:

1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.

The relevant sections from the log are attached. 389 is denying access
to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID

The ACIs allowing access to most of these attributes are here:
https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90

Note that I am able to query the entry just fine (including all the
above invalidly restricted attributes). Hence, I know the ACIs are
working just fine.

Part of the strange thing is that in the post read control request, I
haven't indicated that I want *any* attributes returned (i.e. I want
just the DN). So I'm not sure why it is querying all the attributes. I
would suspect that the proper behavior would be to only check the ACIs
on attributes that will actually be returned.

2. The second patch (0002) modifies the ACI for normal user token
addition from this:

aci: (target = ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter
= (objectClass=ipaToken))(version 3.0; acl Users can create
self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and
userattr = managedBy#SELFDN;)

To this:

aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,
$SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0; acl
Users can create self-managed tokens; allow (add) userattr =
ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)

The idea is to allow users to create tokens which will be expanded by
the UUID plugin. Unfortunately, after the UUID is expanded, the ACIs are
checked. Since the expanded UUID no longer matches the ACI, the addition
is denied. Is this truly the correct behavior? I would think that the
ACIs would be checked before the UUID plugin, not after.
From 7e9d847ec2d9b1b3829abbf3ec6961091d378fc7 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Wed, 8 Oct 2014 16:20:21 -0400
Subject: [PATCH 2/2] Use UUID plugin to generate ipaTokenUniqueIDs

This lets us to deny custom ipaTokenUniqueIDs to non-admin users.

https://fedorahosted.org/freeipa/ticket/4456
---
 install/share/Makefile.am|  1 +
 install/share/default-aci.ldif   |  2 +-
 install/share/uuid-ipatokenuniqueid.ldif | 11 
 install/updates/40-otp.update|  3 +-
 ipalib/plugins/otptoken.py   | 47 ++--
 ipaserver/install/dsinstance.py  |  1 +
 6 files changed, 42 insertions(+), 23 deletions(-)
 create mode 100644 install/share/uuid-ipatokenuniqueid.ldif

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 7d8ceb60e6374e133cfb6e3684bc307dbf313ce7..19bea40c872f148a3a7b8dcafca6e576429e3ace 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -63,6 +63,7 @@ app_DATA =\
 	user_private_groups.ldif	\
 	host_nis_groups.ldif		\
 	uuid-ipauniqueid.ldif		\
+	uuid-ipatokenuniqueid.ldif	\
 	modrdn-krbprinc.ldif		\
 	entryusn.ldif			\
 	root-autobind.ldif		\
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index af7eedb0b92375f893a61ad1fb6e2d7b176389f9..7b6519b291dbaaa075e949317154c047da8f32ce 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -96,4 +96,4 @@ aci: (targetfilter = (objectClass=ipatokenTOTP))(targetattrs = ipatokenOTPalg
 aci: (targetfilter = (objectClass=ipatokenHOTP))(targetattrs = ipatokenOTPalgorithm || ipatokenOTPdigits)(version 3.0; acl Users/managers can see HOTP details; allow (read, search, compare) userattr = ipatokenOwner#USERDN or userattr = managedBy#USERDN;)
 aci: (targetfilter = (objectClass=ipaToken))(targetattrs = description || ipatokenDisabled || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial)(version 3.0; acl Managers can write basic token info; allow (write) userattr = managedBy#USERDN;)
 aci: (targetfilter = (objectClass=ipaToken))(version 3.0; acl Managers can delete tokens; allow (delete) userattr = managedBy#USERDN;)
-aci: (target = ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter = (objectClass=ipaToken))(version 3.0; acl Users can create self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)
+aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,$SUFFIX;)(targetfilter = (objectClass=ipaToken))(version 3.0; acl Users can create self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;)
diff --git