User is unable to enable OTP

[zem]

In my mokey instance users can add OTP tokens but are unable to activate otp on their own, the log schows the following:

time="2021-08-08T16:00:14Z" level=error msg="failed to reset auth types to default" error="ipa: error 2100 - Insufficient access: Insufficient 'write' privilege to the 'ipaUserAuthType' attribute of entry 'uid=test,cn=users,cn=accounts,dc=example,dc=com'." user=test

Fun thing is that the straightforward solution of adding the permission to selfservice ipauserauthtype is working from within the freeipa portal. (means the user can log in to ipa.example.com and activate two factor there) but as soon as mokey tries to write that record it gets access denied.

I am running mokey on centos7 connected to a freeipa running on centos8.

[zem]

I digged more into it:

The thing that failed me was that the change of ipauserauthtype is done by the mokeyapp user and not the currently logged in user.

To enable the mokeyapp user to change ipauserauthtype you need to add a Permission like the "System: Modify Users" of type User with Extra target filter:

(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=conesphere,dc=cloud))

allowing to write the ipauserauthtype attribute.

That permission must then granted to the privilege "User Administrators" (which is the Privilege of the role Mokey User Manager)

[bleetube]

@zem Could provide a step by step process for how you resolved this? I'm facing the same issue and I don't quite understand your description of the solution here. Thanks!

[bleetube]

@aebruno can this be re-opened? Seems to be an outstanding issue. I'm assuming the solution is an additional step when setting up the mokeyapp ldap account. Once I understand the fix better, I'd be happy to work on a PR to update the README accordingly.

[aebruno]

@fosstube I re-opened the issue. Any help with docs in the README would be most welcome! I believe the solution to this is currently described in the the Install section:

Create a user account and role in FreeIPA with the "Modify users and Reset passwords" privilege. This user account will be used by the mokey application to reset users passwords. The "Modify Users" permission also needs to have the "ipauserauthtype" enabled.