BUG? passOnNoUser and passOnNoToken (privacyIDEA 2.11.2)

Hello!
I’m using privacyIDEA 2.11.2.

Setting passOnNoUser and passOnNoToken this is the result:

Reply-Message = “ERR905: The user can not be found in any resolver in this
realm!” if the user is not present…

or

Reply-Message = “privacyIDEA access granted” also if the user is present
and has token assigned!

Is it a bug?
Could you help me?

Regards—
Sim

Hi Sim,

can you please describe

  • your settings,
  • what you are doing and
  • the effects you get in more detail?

I don’t quite get your problem.

Thanks a lot
CorneliusAm Dienstag, den 03.05.2016, 04:12 -0700 schrieb simvirus@gmail.com:

Hello!
I’m using privacyIDEA 2.11.2.

Setting passOnNoUser and passOnNoToken this is the result:

Reply-Message = “ERR905: The user can not be found in any resolver in
this realm!” if the user is not present…

or

Reply-Message = “privacyIDEA access granted” also if the user is
present and has token assigned!

Is it a bug?
Could you help me?

Regards


Sim


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/de8f2ff8-c02e-4de9-8415-5bfb171b18c2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hello Cornelius,
thank you for the quick reply! :slight_smile:

The settings are real simple.

REALMS:
business -> business-mysql [] (sqlresolver)

USERS:
business-mysql -> sqlresolver (local DB/TABLE)

POLICIES:
business_authentication -> authentication { “passOnNoUser”: true,
“passOnNoToken”: true } [ “business” ] [] [ “business-mysql” ] []

I’ve an external application (with local accounts user/pass)
For login are requested "user, password and otp (optional)"
Otp will be checked outside that system (privacyIDEA in this case) with
POST/json query (user/token).
I would not want to create all users in privacyIDEA, and i need a "true"
reply for no-user (into sqlresolver) and no-token (created users but
without OTP)

Enabling “passOnNoUser: true” and “passOnNoToken: true” privacyIDEA reply:

access granted if the user is present (ok!),
ERR905 if the local user is not present (why?),
access granted if the user is present with token but bad token (why?)

Thanks you again!

SimOn Tuesday, May 3, 2016 at 1:17:33 PM UTC+2, Cornelius Kölbel wrote:

Hi Sim,

can you please describe

  • your settings,
  • what you are doing and
  • the effects you get in more detail?

I don’t quite get your problem.

Thanks a lot
Cornelius

Am Dienstag, den 03.05.2016, 04:12 -0700 schrieb simv...@gmail.com
<javascript:>:

Hello!
I’m using privacyIDEA 2.11.2.

Setting passOnNoUser and passOnNoToken this is the result:

Reply-Message = “ERR905: The user can not be found in any resolver in
this realm!” if the user is not present…

or

Reply-Message = “privacyIDEA access granted” also if the user is
present and has token assigned!

Is it a bug?
Could you help me?

Regards


Sim


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/de8f2ff8-c02e-4de9-8415-5bfb171b18c2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Sim,

I will create a test case for this and come back to you.

Kind regards
CorneliusAm Dienstag, den 03.05.2016, 04:46 -0700 schrieb simvirus@gmail.com:

Hello Cornelius,
thank you for the quick reply! :slight_smile:

The settings are real simple.

REALMS:
business -> business-mysql [] (sqlresolver)

USERS:
business-mysql -> sqlresolver (local DB/TABLE)

POLICIES:
business_authentication -> authentication { “passOnNoUser”: true,
“passOnNoToken”: true } [ “business” ] [] [ “business-mysql” ] []

I’ve an external application (with local accounts user/pass)
For login are requested “user, password and otp (optional)”
Otp will be checked outside that system (privacyIDEA in this case)
with POST/json query (user/token).
I would not want to create all users in privacyIDEA, and i need a
“true” reply for no-user (into sqlresolver) and no-token (created
users but without OTP)

Enabling “passOnNoUser: true” and “passOnNoToken: true” privacyIDEA
reply:

access granted if the user is present (ok!),
ERR905 if the local user is not present (why?),
access granted if the user is present with token but bad token (why?)

Thanks you again!

Sim

On Tuesday, May 3, 2016 at 1:17:33 PM UTC+2, Cornelius Kölbel wrote:
Hi Sim,

    can you please describe 
    - your settings, 
    - what you are doing and 
    - the effects you get in more detail? 
    
    I don't quite get your problem. 
    
    Thanks a lot 
    Cornelius 
    
    Am Dienstag, den 03.05.2016, 04:12 -0700 schrieb
    simv...@gmail.com: 
    > Hello! 
    > I'm using privacyIDEA 2.11.2. 
    > 
    > Setting passOnNoUser and passOnNoToken this is the result: 
    > 
    > Reply-Message = "ERR905: The user can not be found in any
    resolver in 
    > this realm!" if the user is not present.... 
    > 
    > or 
    > 
    > Reply-Message = "privacyIDEA access granted"  also if the
    user is 
    > present and has token assigned! 
    > 
    > Is it a bug? 
    > Could you help me? 
    > 
    > Regards 
    > 
    > --- 
    > Sim 
    > 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/de8f2ff8-c02e-4de9-8415-5bfb171b18c2%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/d68ea812-94cb-4b66-8205-30c7ea0abeb2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Thank you Cornelius! :slight_smile:

SimOn Tuesday, May 3, 2016 at 2:10:41 PM UTC+2, Cornelius Kölbel wrote:

Hi Sim,

I will create a test case for this and come back to you.

Kind regards
Cornelius

Am Dienstag, den 03.05.2016, 04:46 -0700 schrieb simv...@gmail.com
<javascript:>:

Hello Cornelius,
thank you for the quick reply! :slight_smile:

The settings are real simple.

REALMS:
business -> business-mysql [] (sqlresolver)

USERS:
business-mysql -> sqlresolver (local DB/TABLE)

POLICIES:
business_authentication -> authentication { “passOnNoUser”: true,
“passOnNoToken”: true } [ “business” ] [] [ “business-mysql” ] []

I’ve an external application (with local accounts user/pass)
For login are requested "user, password and otp (optional)“
Otp will be checked outside that system (privacyIDEA in this case)
with POST/json query (user/token).
I would not want to create all users in privacyIDEA, and i need a
"true” reply for no-user (into sqlresolver) and no-token (created
users but without OTP)

Enabling “passOnNoUser: true” and “passOnNoToken: true” privacyIDEA
reply:

access granted if the user is present (ok!),
ERR905 if the local user is not present (why?),
access granted if the user is present with token but bad token (why?)

Thanks you again!

Sim

On Tuesday, May 3, 2016 at 1:17:33 PM UTC+2, Cornelius Kölbel wrote:
Hi Sim,

    can you please describe 
    - your settings, 
    - what you are doing and 
    - the effects you get in more detail? 
    
    I don't quite get your problem. 
    
    Thanks a lot 
    Cornelius 
    
    Am Dienstag, den 03.05.2016, 04:12 -0700 schrieb 
    simv...@gmail.com: 
    > Hello! 
    > I'm using privacyIDEA 2.11.2. 
    > 
    > Setting passOnNoUser and passOnNoToken this is the result: 
    > 
    > Reply-Message = "ERR905: The user can not be found in any 
    resolver in 
    > this realm!" if the user is not present.... 
    > 
    > or 
    > 
    > Reply-Message = "privacyIDEA access granted"  also if the 
    user is 
    > present and has token assigned! 
    > 
    > Is it a bug? 
    > Could you help me? 
    > 
    > Regards 
    > 
    > --- 
    > Sim 
    > 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two 
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL 
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and 
    LIABILITY: 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > Visit this group at 
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/de8f2ff8-c02e-4de9-8415-5bfb171b18c2%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/d68ea812-94cb-4b66-8205-30c7ea0abeb2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hello Sim,

congratulations and thanks a lot!
You found a severe bug, for wich we just released the advisory and
fix/update.
Please read here:
https://www.privacyidea.org/bug-passonnouser-policy-allows-arbitrary-authentication/

Kind regards
CorneliusAm Dienstag, den 03.05.2016, 05:19 -0700 schrieb simvirus@gmail.com:

Thank you Cornelius! :slight_smile:

Sim

On Tuesday, May 3, 2016 at 2:10:41 PM UTC+2, Cornelius Kölbel wrote:
Hi Sim,

    I will create a test case for this and come back to you. 
    
    Kind regards 
    Cornelius 
    
    Am Dienstag, den 03.05.2016, 04:46 -0700 schrieb
    simv...@gmail.com: 
    > Hello Cornelius, 
    > thank you for the quick reply! :-) 
    > 
    > The settings are real simple. 
    > 
    > REALMS: 
    > business -> business-mysql [] (sqlresolver) 
    > 
    > USERS: 
    > business-mysql -> sqlresolver   (local DB/TABLE) 
    > 
    > POLICIES: 
    > business_authentication -> authentication { "passOnNoUser":
    true, 
    > "passOnNoToken": true } [ "business" ] [] [ "business-mysql"
    ] [] 
    > 
    > 
    > I've an external application (with local accounts
    user/pass) 
    > For login are requested "user, password and otp (optional)" 
    > Otp will be checked outside that system (privacyIDEA in this
    case) 
    > with POST/json query (user/token). 
    > I would not want to create all users in privacyIDEA, and i
    need a 
    > "true" reply for no-user (into sqlresolver) and no-token
    (created 
    > users but without OTP) 
    > 
    > Enabling "passOnNoUser: true" and "passOnNoToken: true"
    privacyIDEA 
    > reply: 
    > 
    > access granted if the user is present (ok!), 
    > ERR905 if the local user is not present (why?), 
    > access granted if the user is present with token but bad
    token (why?) 
    > 
    > Thanks you again! 
    > 
    > Sim 
    > 
    > On Tuesday, May 3, 2016 at 1:17:33 PM UTC+2, Cornelius Kölbel wrote: 
    >         Hi Sim, 
    >         
    >         can you please describe 
    >         - your settings, 
    >         - what you are doing and 
    >         - the effects you get in more detail? 
    >         
    >         I don't quite get your problem. 
    >         
    >         Thanks a lot 
    >         Cornelius 
    >         
    >         Am Dienstag, den 03.05.2016, 04:12 -0700 schrieb 
    >         simv...@gmail.com: 
    >         > Hello! 
    >         > I'm using privacyIDEA 2.11.2. 
    >         > 
    >         > Setting passOnNoUser and passOnNoToken this is the
    result: 
    >         > 
    >         > Reply-Message = "ERR905: The user can not be found
    in any 
    >         resolver in 
    >         > this realm!" if the user is not present.... 
    >         > 
    >         > or 
    >         > 
    >         > Reply-Message = "privacyIDEA access granted"  also
    if the 
    >         user is 
    >         > present and has token assigned! 
    >         > 
    >         > Is it a bug? 
    >         > Could you help me? 
    >         > 
    >         > Regards 
    >         > 
    >         > --- 
    >         > Sim 
    >         > 
    >         > -- 
    >         > Please read the blog post about getting help 
    >         > https://www.privacyidea.org/getting-help/. 
    >         >   
    >         > For professional services and consultancy
    regarding two 
    >         factor 
    >         > authentication please visit 
    >         >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >   
    >         > In an enterprise environment you should get a
    SERVICE LEVEL 
    >         AGREEMENT 
    >         > which suites your needs for SECURITY, AVAILABILITY
    and 
    >         LIABILITY: 
    >         > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         > --- 
    >         > You received this message because you are
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > Visit this group at 
    >         https://groups.google.com/group/privacyidea. 
    >         > To view this discussion on the web visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/de8f2ff8-c02e-4de9-8415-5bfb171b18c2%40googlegroups.com. 
    >         > For more options, visit
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/d68ea812-94cb-4b66-8205-30c7ea0abeb2%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/b6034247-ba7d-4e6d-b5e7-a899967d1bc0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hello Cornelius,
excuse me for delay but I was out of office.
Thank you very much to your for the quick support and fix!
I’ve performed the testing now and it works as expected.

Best Regards

SimOn Wednesday, May 4, 2016 at 2:52:41 PM UTC+2, Cornelius Kölbel wrote:

Hello Sim,

congratulations and thanks a lot!
You found a severe bug, for wich we just released the advisory and
fix/update.
Please read here:

https://www.privacyidea.org/bug-passonnouser-policy-allows-arbitrary-authentication/

Kind regards
Cornelius

Am Dienstag, den 03.05.2016, 05:19 -0700 schrieb simv...@gmail.com
<javascript:>:

Thank you Cornelius! :slight_smile:

Sim

On Tuesday, May 3, 2016 at 2:10:41 PM UTC+2, Cornelius Kölbel wrote:
Hi Sim,

    I will create a test case for this and come back to you. 
    
    Kind regards 
    Cornelius 
    
    Am Dienstag, den 03.05.2016, 04:46 -0700 schrieb 
    simv...@gmail.com: 
    > Hello Cornelius, 
    > thank you for the quick reply! :-) 
    > 
    > The settings are real simple. 
    > 
    > REALMS: 
    > business -> business-mysql [] (sqlresolver) 
    > 
    > USERS: 
    > business-mysql -> sqlresolver   (local DB/TABLE) 
    > 
    > POLICIES: 
    > business_authentication -> authentication { "passOnNoUser": 
    true, 
    > "passOnNoToken": true } [ "business" ] [] [ "business-mysql" 
    ] [] 
    > 
    > 
    > I've an external application (with local accounts 
    user/pass) 
    > For login are requested "user, password and otp (optional)" 
    > Otp will be checked outside that system (privacyIDEA in this 
    case) 
    > with POST/json query (user/token). 
    > I would not want to create all users in privacyIDEA, and i 
    need a 
    > "true" reply for no-user (into sqlresolver) and no-token 
    (created 
    > users but without OTP) 
    > 
    > Enabling "passOnNoUser: true" and "passOnNoToken: true" 
    privacyIDEA 
    > reply: 
    > 
    > access granted if the user is present (ok!), 
    > ERR905 if the local user is not present (why?), 
    > access granted if the user is present with token but bad 
    token (why?) 
    > 
    > Thanks you again! 
    > 
    > Sim 
    > 
    > On Tuesday, May 3, 2016 at 1:17:33 PM UTC+2, Cornelius  Kölbel wrote: 
    >         Hi Sim, 
    >         
    >         can you please describe 
    >         - your settings, 
    >         - what you are doing and 
    >         - the effects you get in more detail? 
    >         
    >         I don't quite get your problem. 
    >         
    >         Thanks a lot 
    >         Cornelius 
    >         
    >         Am Dienstag, den 03.05.2016, 04:12 -0700 schrieb 
    >         simv...@gmail.com: 
    >         > Hello! 
    >         > I'm using privacyIDEA 2.11.2. 
    >         > 
    >         > Setting passOnNoUser and passOnNoToken this is the 
    result: 
    >         > 
    >         > Reply-Message = "ERR905: The user can not be found 
    in any 
    >         resolver in 
    >         > this realm!" if the user is not present.... 
    >         > 
    >         > or 
    >         > 
    >         > Reply-Message = "privacyIDEA access granted"  also 
    if the 
    >         user is 
    >         > present and has token assigned! 
    >         > 
    >         > Is it a bug? 
    >         > Could you help me? 
    >         > 
    >         > Regards 
    >         > 
    >         > --- 
    >         > Sim 
    >         > 
    >         > -- 
    >         > Please read the blog post about getting help 
    >         > https://www.privacyidea.org/getting-help/. 
    >         >   
    >         > For professional services and consultancy 
    regarding two 
    >         factor 
    >         > authentication please visit 
    >         > 
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >   
    >         > In an enterprise environment you should get a 
    SERVICE LEVEL 
    >         AGREEMENT 
    >         > which suites your needs for SECURITY, AVAILABILITY 
    and 
    >         LIABILITY: 
    >         > 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         > --- 
    >         > You received this message because you are 
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving 
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > Visit this group at 
    >         https://groups.google.com/group/privacyidea. 
    >         > To view this discussion on the web visit 
    >         > 
    > 

https://groups.google.com/d/msgid/privacyidea/de8f2ff8-c02e-4de9-8415-5bfb171b18c2%40googlegroups.com.

    >         > For more options, visit 
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two 
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL 
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and 
    LIABILITY: 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > Visit this group at 
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/d68ea812-94cb-4b66-8205-30c7ea0abeb2%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/b6034247-ba7d-4e6d-b5e7-a899967d1bc0%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Sim,

thanks a lot for the feedback.

Kind regards
CorneliusAm Donnerstag, den 05.05.2016, 12:10 -0700 schrieb simvirus@gmail.com:

Hello Cornelius,
excuse me for delay but I was out of office.
Thank you very much to your for the quick support and fix!
I’ve performed the testing now and it works as expected.

Best Regards

Sim

On Wednesday, May 4, 2016 at 2:52:41 PM UTC+2, Cornelius Kölbel wrote:
Hello Sim,

    congratulations and thanks a lot! 
    You found a severe bug, for wich we just released the advisory
    and 
    fix/update. 
    Please read here: 
    https://www.privacyidea.org/bug-passonnouser-policy-allows-arbitrary-authentication/ 
    
    Kind regards 
    Cornelius 
    
    
    Am Dienstag, den 03.05.2016, 05:19 -0700 schrieb
    simv...@gmail.com: 
    > Thank you Cornelius! :-) 
    > 
    > Sim 
    > 
    > 
    > On Tuesday, May 3, 2016 at 2:10:41 PM UTC+2, Cornelius Kölbel wrote: 
    >         Hi Sim, 
    >         
    >         I will create a test case for this and come back to
    you. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Dienstag, den 03.05.2016, 04:46 -0700 schrieb 
    >         simv...@gmail.com: 
    >         > Hello Cornelius, 
    >         > thank you for the quick reply! :-) 
    >         > 
    >         > The settings are real simple. 
    >         > 
    >         > REALMS: 
    >         > business -> business-mysql [] (sqlresolver) 
    >         > 
    >         > USERS: 
    >         > business-mysql -> sqlresolver   (local DB/TABLE) 
    >         > 
    >         > POLICIES: 
    >         > business_authentication -> authentication
    { "passOnNoUser": 
    >         true, 
    >         > "passOnNoToken": true } [ "business" ] []
    [ "business-mysql" 
    >         ] [] 
    >         > 
    >         > 
    >         > I've an external application (with local accounts 
    >         user/pass) 
    >         > For login are requested "user, password and otp
    (optional)" 
    >         > Otp will be checked outside that system
    (privacyIDEA in this 
    >         case) 
    >         > with POST/json query (user/token). 
    >         > I would not want to create all users in
    privacyIDEA, and i 
    >         need a 
    >         > "true" reply for no-user (into sqlresolver) and
    no-token 
    >         (created 
    >         > users but without OTP) 
    >         > 
    >         > Enabling "passOnNoUser: true" and "passOnNoToken:
    true" 
    >         privacyIDEA 
    >         > reply: 
    >         > 
    >         > access granted if the user is present (ok!), 
    >         > ERR905 if the local user is not present (why?), 
    >         > access granted if the user is present with token
    but bad 
    >         token (why?) 
    >         > 
    >         > Thanks you again! 
    >         > 
    >         > Sim 
    >         > 
    >         > On Tuesday, May 3, 2016 at 1:17:33 PM UTC+2, Cornelius  Kölbel wrote: 
    >         >         Hi Sim, 
    >         >         
    >         >         can you please describe 
    >         >         - your settings, 
    >         >         - what you are doing and 
    >         >         - the effects you get in more detail? 
    >         >         
    >         >         I don't quite get your problem. 
    >         >         
    >         >         Thanks a lot 
    >         >         Cornelius 
    >         >         
    >         >         Am Dienstag, den 03.05.2016, 04:12 -0700 schrieb 
    >         >         simv...@gmail.com: 
    >         >         > Hello! 
    >         >         > I'm using privacyIDEA 2.11.2. 
    >         >         > 
    >         >         > Setting passOnNoUser and passOnNoToken
    this is the 
    >         result: 
    >         >         > 
    >         >         > Reply-Message = "ERR905: The user can
    not be found 
    >         in any 
    >         >         resolver in 
    >         >         > this realm!" if the user is not
    present.... 
    >         >         > 
    >         >         > or 
    >         >         > 
    >         >         > Reply-Message = "privacyIDEA access
    granted"  also 
    >         if the 
    >         >         user is 
    >         >         > present and has token assigned! 
    >         >         > 
    >         >         > Is it a bug? 
    >         >         > Could you help me? 
    >         >         > 
    >         >         > Regards 
    >         >         > 
    >         >         > --- 
    >         >         > Sim 
    >         >         > 
    >         >         > -- 
    >         >         > Please read the blog post about getting
    help 
    >         >         >
    https://www.privacyidea.org/getting-help/. 
    >         >         >   
    >         >         > For professional services and
    consultancy 
    >         regarding two 
    >         >         factor 
    >         >         > authentication please visit 
    >         >         > 
    >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >         >   
    >         >         > In an enterprise environment you should
    get a 
    >         SERVICE LEVEL 
    >         >         AGREEMENT 
    >         >         > which suites your needs for SECURITY,
    AVAILABILITY 
    >         and 
    >         >         LIABILITY: 
    >         >         > 
    >         > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         >         > --- 
    >         >         > You received this message because you
    are 
    >         subscribed to the 
    >         >         Google 
    >         >         > Groups "privacyidea" group. 
    >         >         > To unsubscribe from this group and stop
    receiving 
    >         emails 
    >         >         from it, send 
    >         >         > an email to
    privacyidea...@googlegroups.com. 
    >         >         > To post to this group, send email to 
    >         >         priva...@googlegroups.com. 
    >         >         > Visit this group at 
    >         >
    https://groups.google.com/group/privacyidea. 
    >         >         > To view this discussion on the web
    visit 
    >         >         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/de8f2ff8-c02e-4de9-8415-5bfb171b18c2%40googlegroups.com. 
    >         >         > For more options, visit 
    >         https://groups.google.com/d/optout. 
    >         >         
    >         >         -- 
    >         >         Cornelius Kölbel 
    >         >         corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://www.netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         > -- 
    >         > Please read the blog post about getting help 
    >         > https://www.privacyidea.org/getting-help/. 
    >         >   
    >         > For professional services and consultancy
    regarding two 
    >         factor 
    >         > authentication please visit 
    >         >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >   
    >         > In an enterprise environment you should get a
    SERVICE LEVEL 
    >         AGREEMENT 
    >         > which suites your needs for SECURITY, AVAILABILITY
    and 
    >         LIABILITY: 
    >         > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         > --- 
    >         > You received this message because you are
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > Visit this group at 
    >         https://groups.google.com/group/privacyidea. 
    >         > To view this discussion on the web visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/d68ea812-94cb-4b66-8205-30c7ea0abeb2%40googlegroups.com. 
    >         > For more options, visit
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/b6034247-ba7d-4e6d-b5e7-a899967d1bc0%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/d9d81698-3e1e-4e37-bd78-345e0e8744da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)