As reported in Luc's blog, users are able to add add custom names to their tokens.
This is questionable given that tokens are in one tree and different users could easily add different tokens with the same name. This create clashes and confusing error messages.
I think that for user tokens, ipauniqueid should be always generated by IPA and users should rather use just description to add friendly name.
Not an easy or straightforward fix available, given that the ID needs to be unique for all users. Couple ideas discussed on the last devel meeting:
We should discuss the options in 4.1 time frame before jumping to implementation.
We can use the post read control to get back the uuid and let ipa autogenerate it.
This way access control is simply a matter of allowing users to only use the special "autogenerate" value.
I just tested this command with freeipa 4.0.3 and 389-ds 1.3.3:
ldapadd -Y GSSAPI -e postread=ipauniqueid -f t.ldif
where t.ldif is:
And 389-ds happiliy generate and returned in the reply control the new DN and IPAUniqueID:
$ ldapadd -Y GSSAPI -e postread=ipauniqueid -f t.ldif
SASL/GSSAPI authentication started
SASL username: admin@IPA.DEV.LAN
SASL SSF: 56
SASL data security layer installed.
adding new entry "ipaUniqueID=autogenerate,cn=groups,cn=accounts,dc=ipa,dc=dev,dc=lan"
control: 220.127.116.11.1.13.2 false MIGWBFtpcGFVbmlxdWVJRD1lYjhiZjRlOC00NzJkLTExZTQt
# ==> postread
# <== postread
There are now patches posted which solve the majority of this issue:
If these patches are merged, all that remains is:
This were too big changes for 4.1, see [HELP] Regular users should not be able to add OTP tokens with custom name thread.
[HELP] Regular users should not be able to add OTP tokens with custom name
So in 4.1, the token name was just hidden from Web UI to make adding it more difficult:
In next release, this should be fixed properly.
Processing leftovers from 4.2 backlog - this ticket was found as suitable for consideration in next big feature release - 4.4.
Metadata Update from @mkosek:
- Issue assigned to npmccallum
- Issue set to the milestone: FreeIPA 4.5 backlog
to comment on this ticket.