#3693 Cannot view user enabled for OTP radius auth
Closed: Fixed None Opened 9 years ago by rcritten.

Follow instructions for configuring a limited radius server using option #1 at https://fedoraproject.org/wiki/QA:Testcase_freeipav3_otp

# kinit -T `klist | grep cache | cut -d':' -f2-` radius
Enter OTP Token Value: 
# ipa user-show radius
ipa: ERROR: radius: user not found

I think it is the presence of (!(objectClass=ipatokenRadiusProxyUser)) in the 'Enable Anonymous access' ACI in default-aci.ldif that is the culprit.

Nathaniel, can you please re-evaluate the ACI?

aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)

Looking at the affected objectclass definition, it seemed to me that there is no secret in ipatokenRadiusProxyUser object class:

objectClasses:  (2.16.840.1.113730.  NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MUST (ipatokenRadiusConfigLink) MAY (ipatokenRadiusUserName) X-ORIGIN 'IPA OTP')

... and could be thus safely allowed in the global ACI. Is that correct?

If yes, are you willing to take and fix this ticket?

Committed to master and ipa-3-2:

master: 4bbbc11

ipa-3-2: d7a4d7a

Metadata Update from @rcritten:
- Issue assigned to npmccallum
- Issue set to the milestone: FreeIPA 3.2.x - 2013/06 (bug fixing)

5 years ago

Login to comment on this ticket.