thanks a lot for your feedback.
This is your chance to help to improve the docs.
At which part where you expecting this information - so I can add it
The difference is the following:
The admin-realm would be the realm of the administrator, for whom this
policy fits. The user-realm is the realm of users, the administrator is
allowed to manage.
Assume you have created a realm and defined this realm to be
Then logging in as sergey@admin would give you the role=admin.
Assume you connect to the same LDAP with a realm “users”, then logging
in as sergey@users would link to the same LDAP obejct but would give you
What is a difference between Admin-realm and User-realm within the
Let’s say I want to be able to log in as admin into PI using my LDAP
username and “@admin” suffix appended. I’m creating
- user ID resolver which filters only my username
- realm “admin” and link in to this resolver
in “/etc/privacyidea/pi.cfg” comment
#SUPERUSER_REALM = [‘super’],
SUPERUSER_REALM = [‘admin’]
4) Create a scope admin policy and specify there “admin” as a value
Correct this far. Then your user in this realm would get the role=admin,
when logging in.
There’s a problem. In the Admin-realm list I still have only “super”
The pi.cfg is only read when restarting the Apache server.
Then, I include actions, and need to specify a User-realm. Why if I
have already been asked about Admin-realm?
as mentioned above: THe admin realm only defines, that this policy is
valid for YOUR admin. Assume there are other admins. This policy would
not be for them.
And then I also need to specify resolver. Why again if I already
specified User-realm which already linked to the user-resolver needed?
You do not need to specify the resolver. This is optional.
Then the Admin field. What is this for? To include the PI-internal
admin users to this policy only?
These are admin usernames. If you want to split this down to admin
I hope this helps to shed some light.
And I would really appreciate a hint about the location for improving
…if it is some other place than the top level policy documentation.
CorneliusAm Sonntag, den 10.01.2016, 08:48 -0800 schrieb Sergey Kolosovski:
Or it could be used somehow to filter users from the user-resolver
which are able to log into this realm?
Could someone assist, because I read the docs and didn’t catch the
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to email@example.com.
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.
+49 151 2960 1417
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)