As reported in Luc's blog, users are able to add add custom names to their tokens.
This is questionable given that tokens are in one tree and different users could easily add different tokens with the same name. This create clashes and confusing error messages.
I think that for user tokens, ipauniqueid should be always generated by IPA and users should rather use just description to add friendly name.
Not an easy or straightforward fix available, given that the ID needs to be unique for all users. Couple ideas discussed on the last devel meeting:
We should discuss the options in 4.1 time frame before jumping to implementation.
https://www.redhat.com/archives/freeipa-devel/2014-September/msg00351.html
Also: https://www.redhat.com/archives/freeipa-devel/2014-September/msg00433.html
We can use the post read control to get back the uuid and let ipa autogenerate it. This way access control is simply a matter of allowing users to only use the special "autogenerate" value.
I just tested this command with freeipa 4.0.3 and 389-ds 1.3.3:
ldapadd -Y GSSAPI -e postread=ipauniqueid -f t.ldif
where t.ldif is:
dn: ipaUniqueID=autogenerate,cn=groups,cn=accounts,dc=ipa,dc=dev,dc=lan objectClass: top objectClass: ipaobject ipaUniqueID: autogenerate
And 389-ds happiliy generate and returned in the reply control the new DN and IPAUniqueID:
$ ldapadd -Y GSSAPI -e postread=ipauniqueid -f t.ldif SASL/GSSAPI authentication started SASL username: admin@IPA.DEV.LAN SASL SSF: 56 SASL data security layer installed. adding new entry "ipaUniqueID=autogenerate,cn=groups,cn=accounts,dc=ipa,dc=dev,dc=lan" control: 1.3.6.1.1.13.2 false MIGWBFtpcGFVbmlxdWVJRD1lYjhiZjRlOC00NzJkLTExZTQt YTg3OS01MjU0MDBjZDc2NDUsY249Z3JvdXBzLGNuPWFjY291bnRzLGRjPWlwYSxkYz1kZXYsZGM9b GFuMDcwNQQLaXBhdW5pcXVlaWQxJgQkZWI4YmY0ZTgtNDcyZC0xMWU0LWE4NzktNTI1NDAwY2Q3Nj Q1 # ==> postread dn: ipaUniqueID=eb8bf4e8-472d-11e4-a879-525400cd7645,cn=groups,cn=accounts,dc= ipa,dc=dev,dc=lan ipauniqueid: eb8bf4e8-472d-11e4-a879-525400cd7645 # <== postread
There are now patches posted which solve the majority of this issue: https://www.redhat.com/archives/freeipa-devel/2014-October/msg00235.html
If these patches are merged, all that remains is:
This were too big changes for 4.1, see [HELP] Regular users should not be able to add OTP tokens with custom name thread.
[HELP] Regular users should not be able to add OTP tokens with custom name
So in 4.1, the token name was just hidden from Web UI to make adding it more difficult:
master: c5f7ca5[[BR]] ipa-4-1: 0f69e75
In next release, this should be fixed properly.
Processing leftovers from 4.2 backlog - this ticket was found as suitable for consideration in next big feature release - 4.4.
Metadata Update from @mkosek: - Issue assigned to npmccallum - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.