This is currently denied by the FreeIPA ACIs. We essentially need this:
(target = "ldap:///ipatokenuniqueid=*,cn=otp,dc=example,dc=com")(targetfilter = "(objectClass=ipaToken)")(version 3.0; acl "otptoken-add-delete"; allow (add, delete) userattr = "ipatokenOwner#USERDN";)
However, this doesn't currently work with 389ds because of this bug: https://fedorahosted.org/389/ticket/47653
https://www.redhat.com/archives/freeipa-devel/2014-February/msg00059.html
master:
Metadata Update from @npmccallum: - Issue assigned to npmccallum - Issue set to the milestone: FreeIPA 4.0 - 2014/02
Log in to comment on this ticket.