Active User/ OTP disable

nasir_reza · April 23, 2020, 4:55am

Hello People,
We are using privacy idea using local password resolver(/etc/passwd). We are using TOTP for 2FA. I have checked and did not find any way to disable multiple users/token assigned to users at a time.I will be very grateful if anyone provide any way or suggestions regarding this issue. Thanks in advance.

cornelinux · April 23, 2020, 11:56am

Hello @nasir_reza,
welcome to the community.

You can configure this via an enrollment policy:
https://privacyidea.readthedocs.io/en/latest/policies/enrollment.html#max-token-per-user

nasir_reza · April 23, 2020, 12:14pm

Hi ,
Thanks for the answer. I wanted to do that for active users. Not for the new users. Is there any policy like the enrollment policy to do the same work?

cornelinux · April 23, 2020, 5:33pm

What are active users?

And what should happen in your opinion if you limited the number of allowed tokens, if a user has more than the allowed number. Which token should be “deleted”?

It is not clear to me, what you really want or expect.

nasir_reza · April 25, 2020, 7:15am

Hello,
Thanks for your reply. Let me explain the scenario as following:

We are using Privacy Idea to Authenticate VPN users using 2FA. By ‘Active Users’ i mean the users are already enrolled in Privacy Idea and currently using our VPN facility.

We have assigned single TOTP token for each user and we are using /etc/passwd file as resolvers.

Now we are exploring if there is any way we can disable multiple users or token at time using any policy or tools in Privacy Idea.

I have checked and found we can disable OTP one by one which is a long task if i have to disable like 100 users. For this i am exploring if there is any way to disable multiple user/tokens at a time.

Hope that clarifies your query. If you need more clarification, let me know please.

cornelinux · April 25, 2020, 9:52pm

You can not disable uses, since privacyIDEA is no user management.

Yes there are ways to disable tokens. The question is, how you can identify these “multiple tokens”.
If you have a list of e.g. the serials of the tokens you want to disable, you can disable all those tokens by serial. But your question or idea is to vague.

My last comment is, that you want to take a look at the “privacyidea-token-janitor”.

nasir_reza · July 27, 2020, 5:47am

Thanks a lot for your feedback