Follow instructions for configuring a limited radius server using option #1 at https://fedoraproject.org/wiki/QA:Testcase_freeipav3_otp
# kinit -T `klist | grep cache | cut -d':' -f2-` radius Enter OTP Token Value: # ipa user-show radius ipa: ERROR: radius: user not found
I think it is the presence of (!(objectClass=ipatokenRadiusProxyUser)) in the 'Enable Anonymous access' ACI in default-aci.ldif that is the culprit.
Nathaniel, can you please re-evaluate the ACI?
aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
Looking at the affected objectclass definition, it seemed to me that there is no secret in ipatokenRadiusProxyUser object class:
ipatokenRadiusProxyUser
objectClasses: (2.16.840.1.113730.3.8.16.2.3 NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MUST (ipatokenRadiusConfigLink) MAY (ipatokenRadiusUserName) X-ORIGIN 'IPA OTP')
... and could be thus safely allowed in the global ACI. Is that correct?
If yes, are you willing to take and fix this ticket?
Committed to master and ipa-3-2:
master: 4bbbc11
ipa-3-2: d7a4d7a
Metadata Update from @rcritten: - Issue assigned to npmccallum - Issue set to the milestone: FreeIPA 3.2.x - 2013/06 (bug fixing)
Log in to comment on this ticket.