Ticket #3693 (closed defect: fixed)

Opened 11 months ago

Last modified 9 months ago

Cannot view user enabled for OTP radius auth

Reported by: rcritten Owned by: npmccallum
Priority: major Milestone: FreeIPA 3.2.x - 2013/06 (bug fixing)
Component: IPA Version:
Keywords: Cc: npmccallum
Blocked By: Blocking:
Affects Documentation: no Patch posted for review: yes
Red Hat Bugzilla: 0 Patch review by:
External tracker: Design link:
Needs UI design: Fedora test page:
Feature: Source:
Expertise:
Release Notes:

Description (last modified by rcritten) (diff)

Follow instructions for configuring a limited radius server using option #1 at https://fedoraproject.org/wiki/QA:Testcase_freeipav3_otp

# kinit -T `klist | grep cache | cut -d':' -f2-` radius
Enter OTP Token Value: 
# ipa user-show radius
ipa: ERROR: radius: user not found

I think it is the presence of (!(objectClass=ipatokenRadiusProxyUser)) in the 'Enable Anonymous access' ACI in default-aci.ldif that is the culprit.

Change History

comment:1 Changed 11 months ago by rcritten

  • Description modified (diff)

comment:2 Changed 10 months ago by dpal

  • Milestone changed from 0.0 NEEDS_TRIAGE to 2013 Month 06 - June (3.2.x bug fixing)
  • Red Hat Bugzilla set to 0

comment:3 Changed 10 months ago by mkosek

  • Cc npmccallum added

Nathaniel, can you please re-evaluate the ACI?

aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)

Looking at the affected objectclass definition, it seemed to me that there is no secret in ipatokenRadiusProxyUser object class:

objectClasses:  (2.16.840.1.113730.3.8.16.2.3  NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MUST (ipatokenRadiusConfigLink) MAY (ipatokenRadiusUserName) X-ORIGIN 'IPA OTP')

... and could be thus safely allowed in the global ACI. Is that correct?

If yes, are you willing to take and fix this ticket?

comment:4 Changed 10 months ago by npmccallum

  • Owner changed from someone to npmccallum

comment:5 Changed 10 months ago by npmccallum

  • Patch posted for review set

comment:6 Changed 9 months ago by abbra

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.