Ticket #3693 (closed defect: fixed)

Opened 4 years ago

Last modified 4 years ago

Cannot view user enabled for OTP radius auth

Reported by: rcritten Owned by: npmccallum
Priority: major Milestone: FreeIPA 3.2.x - 2013/06 (bug fixing)
Component: IPA Version:
Keywords: Cc: npmccallum
Blocked By: Blocking:
Affects Documentation: no Patch link: 1
Red Hat Bugzilla: 0 Patch review by:
External tracker: Design link:
Test coverage: Test by:
Test case: Needs UI design:
Feature: Source:
Release Notes:

Description (last modified by rcritten) (diff)

Follow instructions for configuring a limited radius server using option #1 at https://fedoraproject.org/wiki/QA:Testcase_freeipav3_otp

# kinit -T `klist | grep cache | cut -d':' -f2-` radius
Enter OTP Token Value: 
# ipa user-show radius
ipa: ERROR: radius: user not found

I think it is the presence of (!(objectClass=ipatokenRadiusProxyUser)) in the 'Enable Anonymous access' ACI in default-aci.ldif that is the culprit.

Change History

comment:1 Changed 4 years ago by rcritten

  • Description modified (diff)

comment:2 Changed 4 years ago by dpal

  • Red Hat Bugzilla set to 0
  • Milestone changed from 0.0 NEEDS_TRIAGE to 2013 Month 06 - June (3.2.x bug fixing)

comment:3 Changed 4 years ago by mkosek

  • Cc npmccallum added

Nathaniel, can you please re-evaluate the ACI?

aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)

Looking at the affected objectclass definition, it seemed to me that there is no secret in ipatokenRadiusProxyUser object class:

objectClasses:  (2.16.840.1.113730.  NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MUST (ipatokenRadiusConfigLink) MAY (ipatokenRadiusUserName) X-ORIGIN 'IPA OTP')

... and could be thus safely allowed in the global ACI. Is that correct?

If yes, are you willing to take and fix this ticket?

comment:4 Changed 4 years ago by npmccallum

  • Owner changed from someone to npmccallum

comment:5 Changed 4 years ago by npmccallum

  • Patch link changed from 0 to 1

comment:6 Changed 4 years ago by abbra

  • Status changed from new to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.