Hi Sim,
In theory this is right. See my latest email.As far as the empty token type drop down is concerned, this is a UI bug.So using the REST API should work.
Yes, login mode disable will not block API.(Afaik)
Local admins can always login. Independent on the login mode.
Kind regardsCornelius
Cornelius KölbelCornelius.koelbel@netknights.it+49 151 2960 1417
NetKnights GmbHhttp://netknights.itLandgraf-Karl-Str. 19, 34131 Kassel, GermanyTel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405Geschäftsführer: Cornelius Kölbel-------- Ursprüngliche Nachricht --------
Von: simvirus@gmail.com
Datum: 09.05.2016 16:22 (GMT+01:00)
An: privacyidea privacyidea@googlegroups.com
Betreff: Re: [privacyidea] Add a second admin for use with a single realm
Hello Cornelius,
currently I have a production server and a development server but both installed with apt-get.
It is not urgent, but can I ask you if this is the correct way? I need a “sub-administrator” for a specific realm to use ONLY with REST/API.
Otherwise I can create user in that local-realm, add a Policy scope: admin with that user (as my example) and increase security with a Policy webui { “login_mode”: “disable” }.
In this way I’ll block web access, but not REST/API functions.
With “pi-manage admin add” the user will be also able to connect to web
Right?
Thanks again
Sim
On Monday, May 9, 2016 at 3:56:19 PM UTC+2, Cornelius Kölbel wrote:Hi Sim,
this seems due to the fact, that the realm of the admin is falsely used
as the user_realm when searching for the policies.
Your admin is in no realm, so a policy with an empty user realm is
search. But your policy contains correctly realmB.
→ Bug with mixing up admin realm and user realm.
If you are willing to pull the git repo, I will be able to provide a fix
shortly.
Kind regards
Cornelius
Am Montag, den 09.05.2016, 05:59 -0700 schrieb simv...@gmail.com:
Hello!
I need to create a “sub-admin” with administrative power only for a
specific realm.
I’ve created two admin users with “pi-manage admin”.
pi-manage admin list
Name email
admin None
admin_b None
Admin is the standard/full administrator and admin_b is the
administrator for realm “b”.
These are the two policy created:
Name = superuser
scope = admin
action = set, revoke, adduser, enrollSMS, policydelete, policywrite,
enrollTIQR, configdelete, machinelist, enrollREMOTE, setpin, resync,
unassign, tokenrealms, enrollSPASS, auditlog, enrollPAPER, deleteuser,
enrollEMAIL, resolverdelete, enrollMOTP, enrollPW, enrollHOTP,
enrollQUESTION, enrollCERTIFICATE, copytokenuser, configwrite,
enrollTOTP, enrollREGISTRATION, enrollYUBICO, resolverwrite,
updateuser, enable, enrollU2F, manage_machine_tokens, getrandom,
userlist, getserial, radiusserver_write, system_documentation,
caconnectordelete, caconnectorwrite, disable, mresolverdelete,
copytokenpin, enrollRADIUS, smtpserver_write, set_hsm_password, reset,
getchallenges, enroll4EYES, enrollYUBIKEY, fetch_authentication_items,
enrollDAPLUG, mresolverwrite, losttoken, enrollSSHKEY, importtokens,
assign, delete
realm = a, b
resolver = a-mysql, b-mysql
user = admin
Name = admin_b
scope = admin
action = set, revoke, adduser, resync, unassign, tokenrealms,
deleteuser, enrollTOTP, enrollREGISTRATION, updateuser, enable,
userlist, getserial, disable, reset, getchallenges, losttoken, assign,
delete
realm = b
resolver = b-mysql
user = admin_b
Logging in with “admin” (via WEB) I can manage users/settings, but
NOT:
- Enroll a new token (the list of TOKEN type is NULL)
- Edit the Policy (REPLY: Admin actions are defined, but the action
policywrite is not allowed!)
Logging in with “admin_b” (always via WEB) the options are limited
but:
admin_b can’t see users for realm “a”, but can create users for that
realm (“a”)!
Removing the two policy “admin” and “admin_b” can do everything.
Which is the best setting for create administrative account for use
one specific realm by API?
Thank you very much!
Sim
–
Please read the blog post about getting help
For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it
+49 151 2960 1417
NetKnights GmbH
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
–
Please read the blog post about getting help
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
You received this message because you are subscribed to the Google Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/e93fd56e-e647-4ad2-a7d3-06cfa5950b87%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.