Russ Long via FreeIPA-users wrote: > There have been a couple threads about this in this forum, but I have not > been able to make anything work from those threads. I have a group of > non-admin users that I would like to have able to manage OTP tokens for all > users. > > I have attempted to create a permission, and have assigned it to the users > via a privilege. > > Here's the permission: > $ ipa permission-show test --all --raw > dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com > cn: test > ipapermright: all > ipapermincludedattr: ipatokentotptimestep > ipapermincludedattr: ipatokenotpalgorithm > ipapermincludedattr: ipatokentotpwatermark > ipapermincludedattr: ipatokenowner > ipapermincludedattr: ipatokenotpdigits > ipapermincludedattr: ipatokenuniqueid > ipapermincludedattr: ipatokentotpclockoffset > ipapermincludedattr: ipatokenotpkey > ipapermincludedattr: cn > ipapermincludedattr: ipatokenhotpsyncwindow > ipapermincludedattr: ipatokenhotpauthwindow > ipapermincludedattr: ipatokentotpsyncwindow > ipapermincludedattr: ipatokentotpauthwindow > ipapermbindruletype: permission > ipapermlocation: cn=otp,cn=etc,dc=ipa,dc=example,dc=com > ipapermtargetfilter: (objectclass=ipatokenotpconfig) > ipapermissiontype: SYSTEM > ipapermissiontype: V2 > aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow > || ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || > ipatokenowner || ipatokentotpauthwindow || ipatokentotpclockoffset || > ipatokentotpsyncwindow || ipatokentotptimestep || ipatokentotpwatermark || > ipatokenuniqueid")(targetfilter = "(objectclass=ipatokenotpconfig)")(version > 3.0;acl "permission:test";allow (all) groupdn = > "ldap:///cn=testrl,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";;) > objectclass: top > objectclass: groupofnames > objectclass: ipapermission > objectclass: ipapermissionv2 > > (membership information removed from above output, but it shows the proper > members) > > When users with this permission attempt to see OTP tokens, they can only see > their own tokens. > > Any ideas would be greatly appreciated.
You need to add objectclass to the set of attributes. This ACI is rather comprehensive. You'll want to consider the case of a bad actor that would try to delete all tokens. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
