freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#3693 Cannot view user enabled for OTP radius auth

Created 4 years ago by rcritten
Modified 4 months ago

Follow instructions for configuring a limited radius server using option #1 at https://fedoraproject.org/wiki/QA:Testcase_freeipav3_otp

# kinit -T `klist | grep cache | cut -d':' -f2-` radius
Enter OTP Token Value: 
# ipa user-show radius
ipa: ERROR: radius: user not found

I think it is the presence of (!(objectClass=ipatokenRadiusProxyUser)) in the 'Enable Anonymous access' ACI in default-aci.ldif that is the culprit.

Nathaniel, can you please re-evaluate the ACI?

aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)

Looking at the affected objectclass definition, it seemed to me that there is no secret in ipatokenRadiusProxyUser object class:

objectClasses:  (2.16.840.1.113730.3.8.16.2.3  NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MUST (ipatokenRadiusConfigLink) MAY (ipatokenRadiusUserName) X-ORIGIN 'IPA OTP')

... and could be thus safely allowed in the global ACI. Is that correct?

If yes, are you willing to take and fix this ticket?

Committed to master and ipa-3-2:

master: 4bbbc11

ipa-3-2: d7a4d7a

4 months ago

Metadata Update from @rcritten:
- Issue assigned to npmccallum
- Issue set to the milestone: FreeIPA 3.2.x - 2013/06 (bug fixing)

Login to comment on this ticket.

defect

IPA

1

0

cancel