Help with sms token enrollment and smsotp challenge response

Hi guys,

I need help with doing mass enrollment for sms token to users. I manage
to add users singly, but I need to add a couple hundreds of users and
create sms tokens for each of them. I’m using ubuntu 14.04 and installed
privacyidea using sudo apt-get install privacyidea.

Also can anyone point me in the right direction for doing a proper smsotp
challenge response authentication using. More specifically the check for
result status & value to be true.

Thanks!
Haiks

Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9wZ3Atc2lnbmF0dXJlOyBuYW1lPSJzaWduYXR1cmUu
YXNjIg0KQ29udGVudC1EZXNjcmlwdGlvbjogT3BlblBHUCBkaWdpdGFsIHNpZ25hdHVyZQ0KQ29u
dGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9InNpZ25hdHVyZS5hc2MiDQoN
Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tDQpWZXJzaW9uOiBHbnVQRyB2MQ0KDQppUUlj
QkFFQkFnQUdCUUpVck9yUUFBb0pFQkJoWkZVdWpZRkpLbm9QL2l6bzhlMHlzZWZwUWltTTB4dWJP
cTlWDQpSemNXZzBLZE5HeUd5alkweVQ2U2JWV1ljYVVsaEc3b3VxbHBnRkd2TEhmWUtNY3gxRFhI
WXovKzJ4SUhmTmNoDQpRanlwcTF1QS9oNFlvZTlLQUx2a2hxL2V0Uy9ieCs2NHBRNlNaQ2w3WDhq
c0dnUmNHd0c5Q2pJTFBnVUN5TWJGDQpGZk1TREVXTElzY3BrTkFhQ05UQmQwOHJMR1AybHIrVC9R
VGtOeTVsZlZkTTBHQmZpeFZzU3RwMmkrd3RKM2kyDQozWG9NbGdLVkZqc05DVmdBYmhndUhwelFp
TXE3WTd3QVc4ZmJhdm51OEorOVQ1VUJhVnJ5U2k5R0NNUXNneXNYDQpiUG1BWkNlRDRZZlVwcVVX
Z0hDb2NuUUdqUEZjb1NtOVNodmN5ckNUMUUxZ1NFZHMrMXJ1Qk9UWGl4R29PZnRuDQp5eVlubitU
LzNvWFZ6MENKbnBYTFIzSWl3dlJESVlJakFLdUpLM2NsVDBteWJEMElEbXZBSHZxZ2ZJbWF4SmRl
DQovcWhYaDZSTFZnWSt0Zm9ZT2xoOTBPMytERlJNK2Znd1RDSElYK1ZEYW1SOFJhUEIxTDI5L3R0
MjB6VW9kSGdEDQp4NEdmVy9zZDY1aFBGS0lJOW1MSXhxK1VYYUpndW5GVms5NGdHUVlEaXRPZFM5
OVRaMk9paDVScVg3OFdCcy9zDQpGSGIyeldBZm9DcmRTRFZJUEM2QzJoZkZmWUtqaWVtVm9WQ0NQ
Y0thdVliTTdMMVdMaVlNTDhlaWZhdUFuM05yDQpsZjY1YWtJY2kyN3kydHBaR0hiMFk0UmxQZWYr
MkRIcmlpaHAxSVh3Z2ExT3NDMDJRWURKbUd1NGVKMlNaWHRsDQpmMHRKa24vbWdnSVBrLzdXdElK
OA0KPWZSdHoNCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ0K

Thanks Cornelius,

Would the enrollment process be different using sqlresolver? I’m getting
my users and phone numbers from a mysql database.

I’m writing the php page for the authentication and using form method post
and file_get_contents() i can do step 1 and trigger the sms sending but i’m
having difficulty with the second step of authenticating as you mentioned.
Sorry if i’m unclear, still very new to this.

Thanks again,

Haiks

Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9wZ3Atc2lnbmF0dXJlOyBuYW1lPSJzaWduYXR1cmUu
YXNjIg0KQ29udGVudC1EZXNjcmlwdGlvbjogT3BlblBHUCBkaWdpdGFsIHNpZ25hdHVyZQ0KQ29u
dGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9InNpZ25hdHVyZS5hc2MiDQoN
Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tDQpWZXJzaW9uOiBHbnVQRyB2MQ0KDQppUUlj
QkFFQkFnQUdCUUpVcjVFL0FBb0pFQkJoWkZVdWpZRkpwUkFQL2pZRUxWNEtSZXdFQ2YyMjU1Rjk4
WkxlDQpZUnpYUzZKUUE3NmVVcXJGS3NyQmt0aE9QbkVUY25uc05sL09HUG5pVWwzdVV6b0JxWFZp
TUdFYlpwbkYwWFIzDQpjT0VnaTU5akZ2QmtBWW8wU3ZVOXFCS2d4U2ZhdW5lQzBnUXhwRmtFcmdp
c01Uc0VvcXd6QzU4Uzl3ZXFVSVBsDQpaYWlJSlEwMFlmbXRmVnQ5VksvMWR0YmpKdFJ6d3dtMFdv
Q2tGRXlaK08xN2tLYWMvV1c0cUZwdCtNNm9EVnNwDQo1eGxzVGJ2U3pndkM3a2RqY3BPUHp0SGFw
WDA4V1FIb1hReHJXYXhvRVVuOEFKUll0RWJiOEU5TW5WNWsvL2lQDQpZeVduMERRTXdicDM1b0kz
aG5RZzM2SjhaRHpvcUFCV3JKMklMZmZHdlI0dThSaHJ1YkRnU21rS0pmaWQyVUJnDQpoMGlHMkxZ
dktPU2VJZmFWak1ETGhOY0ZCL2czT1BiL3hmOEYyMTR0aEwzQ3FqTnlNUlQ0VlN6U0tNL1d5di9F
DQo3UDdJellhVHlKYkZ5MFFDY2paUElmZU56MGRPTVN2YzkrRDd4Q2NmZ2srYzloTXNxNXZ4TDNK
aDR3VWlxYnQ4DQpJVHJZazdqUmtLbXE4czVwb0orZkxBOEhFNVRsSnFCUFk5ZmpSbzNLdDJLV2JB
aHRFSkJEYzRVU2xWZ1IyK1doDQpIbzVBWXNxaDBsNFM2cm9SbUVWNEdlYkkwRkFpWUxOTjloSlBC
ZktXUmthbks0WmhSWG5TY011a3Y2YXlBdEdSDQphbFp1VWJiSkdFbXFsV2xEOFgxang5NnlvQk9K
UDlna2ZHRzNjQmN0eG1TaVlub1lyOXRIZGYrZ3VtcktaYTkvDQpYdktYRzlNZ09nbGVMUTd6WGJ6
Mw0KPUZhRUwNCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ0K

Thanks Cornelius,

You have been most helpful! Another question, I see this error in the
privacyidea.log file in /var/log

2015/01/13 - 17:13:51 ERROR {140110506989312}
[privacyidea.lib.policy][check_auth_serial #2455] {}
2015/01/13 - 17:13:51 ERROR {140110506989312}
[privacyidea.lib.policy][check_auth_serial #2459] No policy
scope=authorize, action=serial for user u’USER’, realm u’REALM’, client
’IPADDRESS’

Is there some policy that i haven’t set properly?

Thanks

HaiksOn Wednesday, January 7, 2015 at 10:44:02 AM UTC+8, haik...@gmail.com wrote:

Hi guys,

I need help with doing mass enrollment for sms token to users. I manage
to add users singly, but I need to add a couple hundreds of users and
create sms tokens for each of them. I’m using ubuntu 14.04 and installed
privacyidea using sudo apt-get install privacyidea.

Also can anyone point me in the right direction for doing a proper smsotp
challenge response authentication using. More specifically the check for
result status & value to be true.

Thanks!
Haiks

Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9wZ3Atc2lnbmF0dXJlOyBuYW1lPSJzaWduYXR1cmUu
YXNjIg0KQ29udGVudC1EZXNjcmlwdGlvbjogT3BlblBHUCBkaWdpdGFsIHNpZ25hdHVyZQ0KQ29u
dGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9InNpZ25hdHVyZS5hc2MiDQoN
Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tDQpWZXJzaW9uOiBHbnVQRyB2MQ0KDQppUUlj
QkFFQkFnQUdCUUpVdE9jUEFBb0pFQkJoWkZVdWpZRkpKMWNRQUxOUlMrUkRsdTF1WnkzbFl3Si96
SzFmDQpZTDhlMGQ1cG9EWHlRNXJzSW94N3V3Yyt6bGhEZFZzL1B2MS9qYmQ0cW1DeVpYZk54VGxG
UWJORUxOYWtTNjNVDQpDTDZKNWVPTGlwaGMyMkQ1QU1nN2RiVkVHWE9hR2VMdkJPa1BKM2Z3YUMr
anRJL0VBOHhtMFR3ZzF2blFOQXhNDQpCK2NyYU5Pd0luWmFnZ3Y5ejB6VnhoZlZ1Uy9DTFFnVWtB
RnV2M1A4eHJMTk9BM3h6QUh2QXFzZDlXa1VzMmQzDQpiOUFLZDJ4cGNlY2RRdU9FcDVnVFVoRDZ1
eHlSYnFPTWpQMWQyQ21oV3h0cCt6RS9CODJ3N0VHVmVSRE1nSDFrDQpPOW02a20yQ1FHOUlsdkxQ
dnlNVG1hb1Z4L1dYS28wayswOXBVeFgwQUtlclZ4VzRqRlArdE96M0JiT0JJbEFJDQpPbFNDT3dh
cEhLdU1yVUZEYVJveEhOR0IxdFc0WEFOdGZ1K1N6d0YvSHNlN0NFOStIdFF3VjdWM2YrMVIyT1cw
DQpVU0dvSVVlb2I3QzgxSG96SlpsRVEzTTR1L29hRkR4Mnk1blZqMzRQY1NZQS90ME1FTGoyQjdW
WEdIMG9CcHFSDQpTRlVNd1lwVDV5cGRISGZ2aGNLQUVXaU96NkZCNE9MYTBXMmZxdGpJRHZ1Skp5
OHlOSFVheWZTM1daWGpTZE8zDQo5czNlUWZXZzZSekNBcjRjTmxNaHk5SGVHWFc5eHpSRHE4ZHlK
cjhnKzF2MHdmbzR3M3ZwdldCZU83V3JKU0JqDQo1UStQSXUrWlJIQ056a1k2dy9iY09ObXlCNkNK
blZReUN5aUtuMXVkLzE3Q1RTS0laWmE4QTd3VVVaRlVpc3QrDQpLVlQzWjRob0krUm9jYkJhQzl2
dQ0KPXlkcGQNCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ0K

Do you mean you want the mobile phone number dynamically to be looked up
whenever an SMS is to sent?

Yes, exactly.On Tuesday, January 19, 2016 at 2:23:50 PM UTC+2, Cornelius Kölbel wrote:

I think these are two different kind of ideas or requirements.

Yes, you may leave the HR department out of the loop as far as IT is
concerned. But image this: The HR deparment “accidentially” changing the
mobile number of a user. Thus they will break the IT functionality.
After all, they are responsible for the authentication to work properly,
since they are responsible for assigning the right SMS token (a.k.a.
mobile number) to the users :wink:

The 2nd thought sill has the HR department responsible for
authentication but it is a technical nice idea having all users simply
have an SMS token.

But you can do this today by running a script using the REST API like
this:

  1. find all users without a token
  2. assign an SMS token to those users

Helping with such integrations and automations is one part of the
services the NetKNights provides.
https://netknights.it/en/leistungen/one-time-services/

Kind regards
CorneliusAm Dienstag, den 19.01.2016, 06:38 -0800 schrieb MKS:

All users personal info is stored in LDAP, it may or may not be
changed, but it’s good when this information stored in one central
place.
Also it’s better to keep HR persons away from IT systems, and if we
force them “to do their work twice” whey will be very unhappy. )
More over, I think it would be good to have one universal SMS token
for all users within realm (in additional to present SMS token
scheme), so all new users would be able to use SMS tokens immediately
after creation, without any actions from privacyIDEA admins side.

On Tuesday, January 19, 2016 at 3:30:41 PM UTC+2, Cornelius Kölbel wrote:
Why?

    Do the mobile numbers of the users change so often? 
    Do you have so many users, so that you want the HR to handle
    this? 
    
    In this case a HR employee could simply change the mobile
    number and 
    reroute authentication to any other mobile phone. 
    
    I just want to understand your needs and intention. 
    
    Kind regards 
    Cornelius 
    
    Am Dienstag, den 19.01.2016, 04:26 -0800 schrieb MKS: 
    > On Tuesday, January 19, 2016 at 2:23:50 PM UTC+2, Cornelius Kölbel  wrote: 
    >         
    >         Do you mean you want the mobile phone number
    dynamically to be 
    >         looked up 
    >         whenever an SMS is to sent? 
    >         
    > Yes, exactly. 
    > 
    > 
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/be6c3663-fbe4-4d36-8816-98e23f859551%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/b78e7d4c-9466-4f0b-b104-29f31085c1cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hello,

    it does not matter if the users are located in a file, ldap,
    sql or scim.

Currently we have all users phone numbers in LDAP, this records
managed by HR dep, so data is always in actual state.
Is it possible to use phone number from LDAP record for user instead
of hardcoding it for SMS tockens?

Hi,

did you check the enrollment of the SMS token?
The phone number gets read from the LDAP during enrollment!

Do you mean you want the mobile phone number dynamically to be looked up
whenever an SMS is to sent?

Kind regards
CorneliusAm Dienstag, den 19.01.2016, 04:21 -0800 schrieb MKS:

On Friday, January 9, 2015 at 10:28:54 AM UTC+2, Cornelius Kölbel wrote:


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/5b8a968e-70e9-46a5-abd1-9f3278421d52%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

All users personal info is stored in LDAP, it may or may not be changed,
but it’s good when this information stored in one central place.
Also it’s better to keep HR persons away from IT systems, and if we force
them “to do their work twice” whey will be very unhappy. )
More over, I think it would be good to have one universal SMS token for all
users within realm (in additional to present SMS token scheme), so all new
users would be able to use SMS tokens immediately after creation, without
any actions from privacyIDEA admins side.On Tuesday, January 19, 2016 at 3:30:41 PM UTC+2, Cornelius Kölbel wrote:

Why?

Do the mobile numbers of the users change so often?
Do you have so many users, so that you want the HR to handle this?

In this case a HR employee could simply change the mobile number and
reroute authentication to any other mobile phone.

I just want to understand your needs and intention.

Kind regards
Cornelius

Am Dienstag, den 19.01.2016, 04:26 -0800 schrieb MKS:

On Tuesday, January 19, 2016 at 2:23:50 PM UTC+2, Cornelius Kölbel wrote:

    Do you mean you want the mobile phone number dynamically to be 
    looked up 
    whenever an SMS is to sent? 

Yes, exactly.


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/be6c3663-fbe4-4d36-8816-98e23f859551%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Why?

Do the mobile numbers of the users change so often?
Do you have so many users, so that you want the HR to handle this?

In this case a HR employee could simply change the mobile number and
reroute authentication to any other mobile phone.

I just want to understand your needs and intention.

Kind regards
CorneliusAm Dienstag, den 19.01.2016, 04:26 -0800 schrieb MKS:

On Tuesday, January 19, 2016 at 2:23:50 PM UTC+2, Cornelius Kölbel wrote:

    Do you mean you want the mobile phone number dynamically to be
    looked up 
    whenever an SMS is to sent? 

Yes, exactly.


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/be6c3663-fbe4-4d36-8816-98e23f859551%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hello,On Friday, January 9, 2015 at 10:28:54 AM UTC+2, Cornelius Kölbel wrote:

it does not matter if the users are located in a file, ldap, sql or scim.

Currently we have all users phone numbers in LDAP, this records managed by
HR dep, so data is always in actual state.
Is it possible to use phone number from LDAP record for user instead of
hardcoding it for SMS tockens?