You have not realm “super” so why do you add it in your almighty policy?Remove it!There is no user “admin” in a realm “super”. This policy will never match.
Try to understand the concept of realms and admin-realms.
Cornelius Kölbel +49 151 2960 1417
NetKnights GmbHHttp://NetKnights. It
+49 561 3166 797-------- Ursprüngliche Nachricht --------Von: Michał Lewandowski michal.lewandowski1988@gmail.com Datum: 09.02.17 14:52 (GMT+01:00) An: privacyidea privacyidea@googlegroups.com Betreff: [privacyidea] Re: Low privilege account for tokens fetch
Here is also my basic system configuration:
PI.cfg------
PI_HSM: default
PI_LOGFILE: /var/log/privacyidea/privacyidea.log
PI_AUDIT_KEY_PUBLIC: /etc/privacyidea/public.pem
PI_PEPPER: ZmJrpL6Kx9_fMPhqq9uOLfAi
PI_ENCFILE: /etc/privacyidea/enckey
For security reason we do not display the SQL URI, as it may contain thedatabase credentials.
PI_AUDIT_MODULE: privacyidea.lib.auditmodules.sqlaudit
PI_LOGLEVEL: 20
PI_AUDIT_KEY_PRIVATE: /etc/privacyidea/private.pem
SUPERUSER_REALM: [‘super’, ‘credentials’]
… note:: The SUPERUSER_REALM is a list of defined realms where the users will have administrative rights when logging in to the web UI.
Local Admins------------In addition to the SUPERUSER_REALM there are local administrators stored inthe database. The following administrators are defined:
- admin
-
webuser
System Base Configuration-------------------------
UiLoginDisplayRealmBox: 0
AutoResync: 0
splitAtSign: 0
UiLoginDisplayHelpButton: 0
timestamp: 1486648120
ReturnSamlAttributesOnFail: 0
ReturnSamlAttributes: 1
PrependPin: 1
IncFailCountOnFalsePin: 0
Resolver Configuration----------------------The following resolvers are defined. Resolvers are connections to user stores.To learn more about resolvers read [#resolvers]_.
admins~~~~~~~~~~~~~~~~~~* Name of the resolver: admins* Type of the resolver: passwdresolver
Configuration…
fileName: /home/privacyidea/passwd
Realm Configuration-------------------Several resolvers are grouped into realms.To learn more about realms read [#realms]_.The following realms have been defined from the resolvers:
administrators~~~~~~~~~~~~~~~* Name of the realm: administrators
This is the default realm!
Users in the default realm can authenticate without specifying the realm.Users not in the default realm always need to specify the realm.
The following resolvers are configured in this realm: - Name: admins Priority: None Type: passwdresolver
Policy Configuration--------------------Policies define the behaviour of privacyIDEA.To learn more about policies read [#policies]_.
The following policies are defined in your system:
almighty_admin~~~~~~~~~~~~~~~~~
time: ****
user: [u’admin’]
resolver: []
active: False
adminrealm: [u’super’]
condition: 0
realm: []
client: []
check_all_resolvers: False
action: {u’set’: True, u’revoke’: True, u’adduser’: True, u’enrollSMS’: True, u’policydelete’: True, u’policywrite’: True, u’enrollTIQR’: True, u’configdelete’: True, u’machinelist’: True, u’enrollREMOTE’: True, u’setpin’: True, u’resync’: True, u’unassign’: True, u’tokenrealms’: True, u’enrollSPASS’: True, u’auditlog’: True, u’enrollPAPER’: True, u’deleteuser’: True, u’enrollEMAIL’: True, u’resolverdelete’: True, u’enrollMOTP’: True, u’enrollPW’: True, u’enrollHOTP’: True, u’enrollQUESTION’: True, u’enrollCERTIFICATE’: True, u’copytokenuser’: True, u’configwrite’: True, u’enrollTOTP’: True, u’enrollREGISTRATION’: True, u’enrollYUBICO’: True, u’reset’: True, u’enable’: True, u’enrollU2F’: True, u’manage_machine_tokens’: True, u’getrandom’: True, u’system_documentation’: True, u’caconnectordelete’: True, u’caconnectorwrite’: True, u’disable’: True, u’radiusserver_write’: True, u’getserial’: True, u’enrollRADIUS’: True, u’copytokenpin’: True, u’set_hsm_password’: True, u’updateuser’: True, u’getchallenges’: True, u’enroll4EYES’: True, u’smtpserver_write’: True, u’fetch_authentication_items’: True, u’losttoken’: True, u’enrollYUBIKEY’: True, u’enrollDAPLUG’: True, u’mresolverwrite’: True, u’assign’: True, u’userlist’: True, u’enrollSSHKEY’: True, u’importtokens’: True, u’delete’: True, u’resolverwrite’: True, u’mresolverdelete’: True}
scope: admin
login~~~~~~~~~~~~~~~~~
time: ****
user: [u’webuser’]
resolver: []
active: False
adminrealm: [u’super’]
condition: 0
realm: []
client: []
check_all_resolvers: False
action: {u’fetch_authentication_items’: True, u’getserial’: True}
scope: admin
Machine Configuration---------------------
TODO
Token Configuration-------------------
TODO
CA Configuration----------------
TODO
… [#resolvers] http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm… [#realms] http://privacyidea.readthedocs.org/en/latest/configuration/realms.html… [#policies] http://privacyidea.readthedocs.org/en/latest/policies/index.html
–
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
You received this message because you are subscribed to a topic in the Google Groups “privacyidea” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/sy8HW4t3rxc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/a2854303-58fd-45b9-a8b9-ce3d6e0aef67%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.