Admin password and two AD acting as one

Question
,
1

Hi,
I’m new to PI, our company was looking for new 2FA solution and we decided for PI. Now we have basicly working solution, so thanks for all the good work you do, developers and community, it came quite handy, when solving many things. I have two questions, since there are still few things that are unclear to me.

  1. Admin password - password for admin is set as static password which can become a problem for example with dictionary attack. So I want to ask is there some way to change admin password to PIN + TOTP in webUI? Secondly admin has access everywhere, while users via token wizzard only to totp enroll, we though about implementing nginx so that certain URLs are accessable only from some IP address, but url for admin token list and basic user token list is the same one, had anyone tried to solve same problem? If so, how?

  2. Two AD - we are using Active Directory (AD) for users, we have policy that we have two same ADs in case that one is down, but when we put them in one domain in PI, create test totp for user the totp gets assign to specific AD so when we shut down this AD user can’t sign in. We need to be able to use both seamlessly. Is there a solution for that?

Thanks for all the help and hints.

Sincerely, Filip.

2

You probably want to look at admin realms. This way you can assign 2nd factors to adminsitratros.

Then you want to look at admin policies.

Do you mean you have two domain controllers of one active directory?

Read this:

3

Hi,
thanks for getting back so quickly.

  1. Thanks for answer it did help, I have follow up question. When admins have pin + totp and someone will try brute force attack he will after let’s say 10 attempts inactivate token. In this case recovery solution which commes to my head is to create new superuser in pi.cfg so we can access PI and reset tokens, is this the right way?

  2. He have two AD servers which contain same domain controllers, users and data, they are sync. I see in the documentation that the solution might be not to create two ldap resolvers but just one with more ldaps separated by comma as explained in 5.1. , scenario is that user has his totp token assign to his name in PI, this user is from this AD ldap domain, when user tries to sign-in and one of two AD servers is down, it will get his info from the second AD and PI will recognize that user and token. So question is, when more ldaps are in one ldap resolver within one domain in PI, user from this domain enrolls token will the token work if one of AD servers is down?

Thanks.
Filip