On 14/08/2023 07.37, spike via FreeIPA-users wrote:
Hi,
I've been trying to create a permission to allow certain users to manipulate
all OTP Tokens. I found a post to this list from 2017 describing pretty much
exactly what I want to do:
https://lists.fedorahosted.org/archives/list/[email protected]/message/BG263EADXJOSCQBY3Q7WFXGPIZSXV5XK/
My permission object looks pretty much identical (at least I can't find any
significant difference):
$ ipa permission-show --all --raw "OTP Key Management"
dn: cn=OTP Key Management,cn=permissions,cn=pbac,dc=rise,dc=fx
cn: OTP Key Management
ipapermright: all
ipapermincludedattr: ipatokenTOTPtimeStep
ipapermincludedattr: ipatokenOwner
ipapermincludedattr: ipatokenOTPdigits
ipapermincludedattr: ipatokenUniqueID
ipapermincludedattr: ipatokenTOTPclockOffset
ipapermincludedattr: ipatokenOTPkey
ipapermbindruletype: permission
ipapermlocation: cn=otp,dc=example,dc=com
How did you create the permission? The IPA permission location is wrong.
The suffix should match your domain components dc=rise,dc=fx.
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
