AW: Re: Add a second admin for use with a single realm

Hi Sim,
In theory this is right. See my latest email.As far as the empty token type drop down is concerned, this is a UI bug.So using the REST API should work.
Yes, login mode disable will not block API.(Afaik)
Local admins can always login. Independent on the login mode.
Kind regardsCornelius

Cornelius KölbelCornelius.koelbel@netknights.it+49 151 2960 1417
NetKnights GmbHhttp://netknights.itLandgraf-Karl-Str. 19, 34131 Kassel, GermanyTel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405Geschäftsführer: Cornelius Kölbel-------- Ursprüngliche Nachricht --------
Von: simvirus@gmail.com
Datum: 09.05.2016 16:22 (GMT+01:00)
An: privacyidea privacyidea@googlegroups.com
Betreff: Re: [privacyidea] Add a second admin for use with a single realm

Hello Cornelius,
currently I have a production server and a development server but both installed with apt-get.
It is not urgent, but can I ask you if this is the correct way? I need a “sub-administrator” for a specific realm to use ONLY with REST/API.
Otherwise I can create user in that local-realm, add a Policy scope: admin with that user (as my example) and increase security with a Policy webui { “login_mode”: “disable” }.
In this way I’ll block web access, but not REST/API functions.
With “pi-manage admin add” the user will be also able to connect to web
Right?

Thanks again


Sim

On Monday, May 9, 2016 at 3:56:19 PM UTC+2, Cornelius Kölbel wrote:Hi Sim,

this seems due to the fact, that the realm of the admin is falsely used

as the user_realm when searching for the policies.

Your admin is in no realm, so a policy with an empty user realm is

search. But your policy contains correctly realmB.

-> Bug with mixing up admin realm and user realm.

If you are willing to pull the git repo, I will be able to provide a fix

shortly.

Kind regards

Cornelius

Am Montag, den 09.05.2016, 05:59 -0700 schrieb simv...@gmail.com:

Hello!

I need to create a “sub-admin” with administrative power only for a

specific realm.

I’ve created two admin users with “pi-manage admin”.

pi-manage admin list

Name email

admin None

admin_b None

Admin is the standard/full administrator and admin_b is the

administrator for realm “b”.

These are the two policy created:

Name = superuser

scope = admin

action = set, revoke, adduser, enrollSMS, policydelete, policywrite,

enrollTIQR, configdelete, machinelist, enrollREMOTE, setpin, resync,

unassign, tokenrealms, enrollSPASS, auditlog, enrollPAPER, deleteuser,

enrollEMAIL, resolverdelete, enrollMOTP, enrollPW, enrollHOTP,

enrollQUESTION, enrollCERTIFICATE, copytokenuser, configwrite,

enrollTOTP, enrollREGISTRATION, enrollYUBICO, resolverwrite,

updateuser, enable, enrollU2F, manage_machine_tokens, getrandom,

userlist, getserial, radiusserver_write, system_documentation,

caconnectordelete, caconnectorwrite, disable, mresolverdelete,

copytokenpin, enrollRADIUS, smtpserver_write, set_hsm_password, reset,

getchallenges, enroll4EYES, enrollYUBIKEY, fetch_authentication_items,

enrollDAPLUG, mresolverwrite, losttoken, enrollSSHKEY, importtokens,

assign, delete

realm = a, b

resolver = a-mysql, b-mysql

user = admin

Name = admin_b

scope = admin

action = set, revoke, adduser, resync, unassign, tokenrealms,

deleteuser, enrollTOTP, enrollREGISTRATION, updateuser, enable,

userlist, getserial, disable, reset, getchallenges, losttoken, assign,

delete

realm = b

resolver = b-mysql

user = admin_b

Logging in with “admin” (via WEB) I can manage users/settings, but

NOT:

  • Enroll a new token (the list of TOKEN type is NULL)
  • Edit the Policy (REPLY: Admin actions are defined, but the action

policywrite is not allowed!)

Logging in with “admin_b” (always via WEB) the options are limited

but:

admin_b can’t see users for realm “a”, but can create users for that

realm (“a”)!

Removing the two policy “admin” and “admin_b” can do everything.

Which is the best setting for create administrative account for use

one specific realm by API?

Thank you very much!


Sim

Please read the blog post about getting help

https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor

authentication please visit

https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT

which suites your needs for SECURITY, AVAILABILITY and LIABILITY:

https://netknights.it/en/leistungen/service-level-agreements/


You received this message because you are subscribed to the Google

Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to privacyidea...@googlegroups.com.

To post to this group, send email to priva...@googlegroups.com.

Visit this group at https://groups.google.com/group/privacyidea.

To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/978d3304-47b0-42ee-b5d7-9488f60f6188%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel

corneliu…@netknights.it

+49 151 2960 1417

NetKnights GmbH

http://www.netknights.it

Landgraf-Karl-Str. 19, 34131 Kassel, Germany

Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405

Geschäftsführer: Cornelius Kölbel

Please read the blog post about getting help

https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor authentication please visit

https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:

https://netknights.it/en/leistungen/service-level-agreements/


You received this message because you are subscribed to the Google Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea+unsubscribe@googlegroups.com.

To post to this group, send email to privacyidea@googlegroups.com.

Visit this group at https://groups.google.com/group/privacyidea.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/e93fd56e-e647-4ad2-a7d3-06cfa5950b87%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.