I can not upload tokens with the local admin account, created on setup.
I found a few mentions of this, related to policy files. This is my (short) list.
pi-manage policy list
Active Name Scope
True enroll_tokenlabel enrollment
True webui1 webui
True webui_enabletoken authentication
True hide_welcome webui
True selfservice1 user
From the server documentation:
… note:: The SUPERUSER_REALM is a list of defined realms where the users
will have administrative rights when logging in to the web UI.
shared Local Admins
In addition to the SUPERUSER_REALM there are local administrators stored in
the database. The following administrators are defined:
The weird thing is: I had this before. It magically resolved by restarting the server (and that on a Linux).
Doesn’t solve the problem now however …
I solved it this time by disabling all my policies and then uploading. That worked, but that can hardly be the solution.
What policy blocks this? I don’t think I have anything from the admin scope …
This is a know issue.
09:32AM - 19 May 20 UTC
02:30PM - 20 May 20 UTC
It seems like token import does not work when no admin policies are defined. The admin gets the error message,...
Type: Known issue
The upload will only work, if you define an admin policy. Please note, that you need to define an admin policy with roughly all rights as first policy.
Ah, I missed that. Thank you for your reply.
I was following
As long as no admin policy is defined all administrators are allowed to do everything.
from the page
https://privacyidea.readthedocs.io/en/latest/policies/admin.html#admin-policies in the documentation…
I still didn’t manage to get this working: if I make a policy for superadmin and tick all boxes, then it is not allowed to do anything anymore for some reason.
For people in the same boat: as a workaround I disable all policies and then I can upload the tokens.
I’m still on 3.3
The admin should be allowed to do “things”. If you are on 3.3, however you have the import-token-bug, which is fixed in 3.3.3, which is the latest bug fixing release. 3.4 is the latest feature release.
You could also use pi-manage to export your (admin)-policies and we could take a look.
pi-manage policy p_export
Write it to a file, filter for all admin policies and take a deeper look or post them here.