Administrators from AD group

Hi,

how can I configure PrivacyIDEA so that some users from certain AD group
have administrator rights?

Hi jmdeking,
thanks a lot for jumping in and you suggestion on this.

Hi psorobka,
You can do this using the SUPERUSER_REALM in pi.cfg.
I think it is well documented at http://privacyidea.readthedocs.io and
there is even a video about
this: https://www.youtube.com/watch?v=4CEHKtzyokw
Subscribe to the channel!
THanks
CorneilusAm Donnerstag, 16. Februar 2017 10:38:32 UTC+1 schrieb jmdeking:

I think ad integration for managing privacyidea is not possible. I have a
few local accounts to which i assigned certain policy rights. Trying it
with AD accounts for which i have multiple ldap resolvers didnt do anything.

On Wednesday, February 15, 2017 at 3:08:23 PM UTC+1, psor...@gmail.com wrote:

Hi,

how can I configure PrivacyIDEA so that some users from certain AD group
have administrator rights?

psorobka@gmail.com writes:

how can I configure PrivacyIDEA so that some users from certain AD group
have administrator rights?

I do run privacyidea against FreeIPA, but the idea should work for AD as
well (modulo attribute names).

I have two LDAP resolvers, one for all users and one for admins.
The only difference is the searchfilter:
(memberof=cn=admins,cn=groups,cn=accounts,dc=example,dc=org)

The admin resolver is used in the admin domain, so when I log in as
jochen@admin I have admin rights, but jochen@example.org is a plain
user.

Jochen–
The only problem with troubleshooting is that the trouble shoots back.

I think ad integration for managing privacyidea is not possible. I have a
few local accounts to which i assigned certain policy rights. Trying it
with AD accounts for which i have multiple ldap resolvers didnt do anything.On Wednesday, February 15, 2017 at 3:08:23 PM UTC+1, psor...@gmail.com wrote:

Hi,

how can I configure PrivacyIDEA so that some users from certain AD group
have administrator rights?

So that we can find the answers to this later (I haven’t verified, but
pretty sure this what you guys are talking about):

http://privacyidea.readthedocs.io/en/latest/configuration/realms.html#resolver-priority
http://privacyidea.readthedocs.io/en/latest/faq/admins.html

Kris Lou
@Kris_LouOn Thu, Feb 16, 2017 at 9:14 AM, Jochen Hein jochen@jochen.org wrote:

psorobka@gmail.com writes:

how can I configure PrivacyIDEA so that some users from certain AD group
have administrator rights?

I do run privacyidea against FreeIPA, but the idea should work for AD as
well (modulo attribute names).

I have two LDAP resolvers, one for all users and one for admins.
The only difference is the searchfilter:
(memberof=cn=admins,cn=groups,cn=accounts,dc=example,dc=org)

The admin resolver is used in the admin domain, so when I log in as
jochen@admin I have admin rights, but jochen@example.org is a plain
user.

Jochen


The only problem with troubleshooting is that the trouble shoots back.


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google Groups
"privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/
msgid/privacyidea/83vasaqcqo.fsf%40jochen.org.
For more options, visit https://groups.google.com/d/optout.

How to (given you are AD *user *inside AD group *users *and admins)

  1. Create a realm “users” with resolver which points to the AD "users"
    group (might contain admins as well), this might be a default realm
  2. Create a realm “admins” with resolver which points to the AD "admins"
    group
  3. Edit /etc/privacyidea/pi.cfg and set SUPERUSER_REALM = [‘super’,
    ‘administrators’,‘admins’]
  4. Restart httpd
  5. Login as AD user- you will be a normal user
  6. Login as AD *user@admins *- you will be an admin

Done.

You can also create a policy so that on login page you will have a combo
box with selection of realms - create policy with webui scope
and realm_dropbox checked - enter “users admins

Voila.

W dniu czwartek, 16 lutego 2017 19:52:51 UTC+1 użytkownik Kris Lou napisał:>

So that we can find the answers to this later (I haven’t verified, but
pretty sure this what you guys are talking about):

http://privacyidea.readthedocs.io/en/latest/configuration/realms.html#resolver-priority
http://privacyidea.readthedocs.io/en/latest/faq/admins.html

Kris Lou
kl...@themusiclink.net <javascript:>

On Thu, Feb 16, 2017 at 9:14 AM, Jochen Hein <joc...@jochen.org <javascript:>> wrote:

psor...@gmail.com <javascript:> writes:

how can I configure PrivacyIDEA so that some users from certain AD group
have administrator rights?

I do run privacyidea against FreeIPA, but the idea should work for AD as
well (modulo attribute names).

I have two LDAP resolvers, one for all users and one for admins.
The only difference is the searchfilter:
(memberof=cn=admins,cn=groups,cn=accounts,dc=example,dc=org)

The admin resolver is used in the admin domain, so when I log in as
jochen@admin I have admin rights, but joc...@example.org <javascript:>
is a plain
user.

Jochen


The only problem with troubleshooting is that the trouble shoots back.


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google Groups
"privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/83vasaqcqo.fsf%40jochen.org
.
For more options, visit https://groups.google.com/d/optout.

Thanks a lot i didnt knew this. Gonna try it.On Friday, February 17, 2017 at 3:53:35 PM UTC+1, psor...@gmail.com wrote:

How to (given you are AD *user *inside AD group *users *and admins)

  1. Create a realm “users” with resolver which points to the AD "users"
    group (might contain admins as well), this might be a default realm
  2. Create a realm “admins” with resolver which points to the AD
    "admins" group
  3. Edit /etc/privacyidea/pi.cfg and set SUPERUSER_REALM = [‘super’,
    ‘administrators’,‘admins’]
  4. Restart httpd
  5. Login as AD user- you will be a normal user
  6. Login as AD *user@admins *- you will be an admin

Done.

You can also create a policy so that on login page you will have a combo
box with selection of realms - create policy with webui scope
and realm_dropbox checked - enter “users admins

Voila.

W dniu czwartek, 16 lutego 2017 19:52:51 UTC+1 użytkownik Kris Lou napisał:

So that we can find the answers to this later (I haven’t verified, but
pretty sure this what you guys are talking about):

http://privacyidea.readthedocs.io/en/latest/configuration/realms.html#resolver-priority
http://privacyidea.readthedocs.io/en/latest/faq/admins.html

Kris Lou
kl...@themusiclink.net

On Thu, Feb 16, 2017 at 9:14 AM, Jochen Hein joc...@jochen.org wrote:

psor...@gmail.com writes:

how can I configure PrivacyIDEA so that some users from certain AD
group
have administrator rights?

I do run privacyidea against FreeIPA, but the idea should work for AD as
well (modulo attribute names).

I have two LDAP resolvers, one for all users and one for admins.
The only difference is the searchfilter:
(memberof=cn=admins,cn=groups,cn=accounts,dc=example,dc=org)

The admin resolver is used in the admin domain, so when I log in as
jochen@admin I have admin rights, but joc...@example.org is a plain
user.

Jochen


The only problem with troubleshooting is that the trouble shoots back.


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/83vasaqcqo.fsf%40jochen.org
.
For more options, visit https://groups.google.com/d/optout.