AW: Re: Low privilege account for tokens fetch

You have not realm “super” so why do you add it in your almighty policy?Remove it!There is no user “admin” in a realm “super”. This policy will never match.
Try to understand the concept of realms and admin-realms.

Cornelius Kölbel +49 151 2960 1417
NetKnights GmbHHttp://NetKnights. It
+49 561 3166 797-------- Ursprüngliche Nachricht --------Von: Michał Lewandowski Datum: 09.02.17 14:52 (GMT+01:00) An: privacyidea Betreff: [privacyidea] Re: Low privilege account for tokens fetch
Here is also my basic system configuration:
PI_HSM: default
PI_LOGFILE: /var/log/privacyidea/privacyidea.log
PI_AUDIT_KEY_PUBLIC: /etc/privacyidea/public.pem
PI_PEPPER: ZmJrpL6Kx9_fMPhqq9uOLfAi
PI_ENCFILE: /etc/privacyidea/enckey
For security reason we do not display the SQL URI, as it may contain thedatabase credentials.
PI_AUDIT_MODULE: privacyidea.lib.auditmodules.sqlaudit
PI_AUDIT_KEY_PRIVATE: /etc/privacyidea/private.pem
SUPERUSER_REALM: [‘super’, ‘credentials’]
… note:: The SUPERUSER_REALM is a list of defined realms where the users will have administrative rights when logging in to the web UI.
Local Admins------------In addition to the SUPERUSER_REALM there are local administrators stored inthe database. The following administrators are defined:

  • admin
  • webuser
    System Base Configuration-------------------------
    UiLoginDisplayRealmBox: 0
    AutoResync: 0
    splitAtSign: 0
    UiLoginDisplayHelpButton: 0
    timestamp: 1486648120
    ReturnSamlAttributesOnFail: 0
    ReturnSamlAttributes: 1
    PrependPin: 1
    IncFailCountOnFalsePin: 0
    Resolver Configuration----------------------The following resolvers are defined. Resolvers are connections to user stores.To learn more about resolvers read [#resolvers]_.
    admins~~~~~~~~~~~~~~~~~~* Name of the resolver: admins* Type of the resolver: passwdresolver
    fileName: /home/privacyidea/passwd
    Realm Configuration-------------------Several resolvers are grouped into realms.To learn more about realms read [#realms]_.The following realms have been defined from the resolvers:
    administrators~~~~~~~~~~~~~~~* Name of the realm: administrators
    This is the default realm!
    Users in the default realm can authenticate without specifying the realm.Users not in the default realm always need to specify the realm.
    The following resolvers are configured in this realm:
  • Name: admins Priority: None Type: passwdresolver
    Policy Configuration--------------------Policies define the behaviour of privacyIDEA.To learn more about policies read [#policies]_.
    The following policies are defined in your system:
    time: ****
    user: [u’admin’]
    resolver: []
    active: False
    adminrealm: [u’super’]
    condition: 0
    realm: []
    client: []
    check_all_resolvers: False
    action: {u’set’: True, u’revoke’: True, u’adduser’: True, u’enrollSMS’: True, u’policydelete’: True, u’policywrite’: True, u’enrollTIQR’: True, u’configdelete’: True, u’machinelist’: True, u’enrollREMOTE’: True, u’setpin’: True, u’resync’: True, u’unassign’: True, u’tokenrealms’: True, u’enrollSPASS’: True, u’auditlog’: True, u’enrollPAPER’: True, u’deleteuser’: True, u’enrollEMAIL’: True, u’resolverdelete’: True, u’enrollMOTP’: True, u’enrollPW’: True, u’enrollHOTP’: True, u’enrollQUESTION’: True, u’enrollCERTIFICATE’: True, u’copytokenuser’: True, u’configwrite’: True, u’enrollTOTP’: True, u’enrollREGISTRATION’: True, u’enrollYUBICO’: True, u’reset’: True, u’enable’: True, u’enrollU2F’: True, u’manage_machine_tokens’: True, u’getrandom’: True, u’system_documentation’: True, u’caconnectordelete’: True, u’caconnectorwrite’: True, u’disable’: True, u’radiusserver_write’: True, u’getserial’: True, u’enrollRADIUS’: True, u’copytokenpin’: True, u’set_hsm_password’: True, u’updateuser’: True, u’getchallenges’: True, u’enroll4EYES’: True, u’smtpserver_write’: True, u’fetch_authentication_items’: True, u’losttoken’: True, u’enrollYUBIKEY’: True, u’enrollDAPLUG’: True, u’mresolverwrite’: True, u’assign’: True, u’userlist’: True, u’enrollSSHKEY’: True, u’importtokens’: True, u’delete’: True, u’resolverwrite’: True, u’mresolverdelete’: True}
    scope: admin
    time: ****
    user: [u’webuser’]
    resolver: []
    active: False
    adminrealm: [u’super’]
    condition: 0
    realm: []
    client: []
    check_all_resolvers: False
    action: {u’fetch_authentication_items’: True, u’getserial’: True}
    scope: admin
    Machine Configuration---------------------
    Token Configuration-------------------
    CA Configuration----------------
    … [#resolvers]… [#realms]… [#policies]

Please read the blog post about getting help

For professional services and consultancy regarding two factor authentication please visit

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:

You received this message because you are subscribed to a topic in the Google Groups “privacyidea” group.

To unsubscribe from this topic, visit

To unsubscribe from this group and all its topics, send an email to

To post to this group, send email to

Visit this group at

To view this discussion on the web visit

For more options, visit