LDAP Resolver with email tokens doesnt use ldap "mail" attribute

Hi There,

I made an ldap resolver so everyone can log in to the server and assign a
email token. Only problem for is that the email from ldap is not
automatically filled in.
Is there any way to make this happen?

Kind Regards,
Johan

Hi Johan,

please be more specific about “automatcally”.
Please see:
https://www.privacyidea.org/getting-help/

If you configured everything all right you can select on of the multiple
email addresses the user can have in LDAP.

Kind regards
CorneliusAm Montag, den 06.06.2016, 07:02 -0700 schrieb jmdeking:

Hi There,

I made an ldap resolver so everyone can log in to the server and
assign a email token. Only problem for is that the email from ldap is
not automatically filled in.
Is there any way to make this happen?

Kind Regards,
Johan

Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/f2864fcc-8e1d-4ce0-ab7a-50cceef815bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Johan,

this is not configurable.
We could add an extra policy or setting for this token type to do so.
This would be the same for SMS.
If it is important to you, please state a feature request on github

Or: You can enroll an email token AND an SMS token to each user right
away!

Kind regards
CorneliusAm Montag, den 06.06.2016, 07:49 -0700 schrieb jmdeking:

I want the user to choose its own authentication methode either by sms
or by email.

But when logging in as an ad user my email adres extracted from the
“mail” attribute in ldap is not automatically filled in the “email
adress” field in privacy idea when enrolling the token.

For ease of use i want this to be already filled in and i want to lock
it down.

Op maandag 6 juni 2016 16:10:09 UTC+2 schreef Cornelius Kölbel:
You should consider another approach!
Why should the user enroll an email token himself?

    Why don't you create a script that creates an email token for
    each user, 
    who does not already have a token? 
    
    In this case you do not need to bother about the user. 
    You do not need to take care about any misconfiguration, the
    user may 
    do! 
    
    Kind regards 
    Cornelius 
    
    Am Montag, den 06.06.2016, 07:05 -0700 schrieb jmdeking: 
    > Or make it possible to restrict users from sending email
    tokens to 
    > external domains outside of our reach. 
    > 
    > Op maandag 6 juni 2016 16:02:53 UTC+2 schreef jmdeking: 
    >         Hi There, 
    >         
    >         
    >         I made an ldap resolver so everyone can log in to
    the server 
    >         and assign a email token. Only problem for is that
    the email 
    >         from ldap is not automatically filled in. 
    >         Is there any way to make this happen? 
    >         
    >         
    >         Kind Regards, 
    >         Johan 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/e0f39e62-5ef1-4542-9113-3f8fb3f2c63c%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/aafedd9b-8e19-4544-8c44-5291ed61c14a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Thanks a lot for your clear response.

How would one go about to enroll email and sms to everyone?Op maandag 6 juni 2016 17:11:29 UTC+2 schreef Cornelius Kölbel:

Hi Johan,

this is not configurable.
We could add an extra policy or setting for this token type to do so.
This would be the same for SMS.
If it is important to you, please state a feature request on github
Issues · privacyidea/privacyidea · GitHub

Or: You can enroll an email token AND an SMS token to each user right
away!

Kind regards
Cornelius

Am Montag, den 06.06.2016, 07:49 -0700 schrieb jmdeking:

I want the user to choose its own authentication methode either by sms
or by email.

But when logging in as an ad user my email adres extracted from the
“mail” attribute in ldap is not automatically filled in the “email
adress” field in privacy idea when enrolling the token.

For ease of use i want this to be already filled in and i want to lock
it down.

Op maandag 6 juni 2016 16:10:09 UTC+2 schreef Cornelius Kölbel:
You should consider another approach!
Why should the user enroll an email token himself?

    Why don't you create a script that creates an email token for 
    each user, 
    who does not already have a token? 
    
    In this case you do not need to bother about the user. 
    You do not need to take care about any misconfiguration, the 
    user may 
    do! 
    
    Kind regards 
    Cornelius 
    
    Am Montag, den 06.06.2016, 07:05 -0700 schrieb jmdeking: 
    > Or make it possible to restrict users from sending email 
    tokens to 
    > external domains outside of our reach. 
    > 
    > Op maandag 6 juni 2016 16:02:53 UTC+2 schreef jmdeking: 
    >         Hi There, 
    >         
    >         
    >         I made an ldap resolver so everyone can log in to 
    the server 
    >         and assign a email token. Only problem for is that 
    the email 
    >         from ldap is not automatically filled in. 
    >         Is there any way to make this happen? 
    >         
    >         
    >         Kind Regards, 
    >         Johan 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two 
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL 
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and 
    LIABILITY: 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > Visit this group at 
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/e0f39e62-5ef1-4542-9113-3f8fb3f2c63c%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/aafedd9b-8e19-4544-8c44-5291ed61c14a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

I want the user to choose its own authentication methode either by sms or
by email.

But when logging in as an ad user my email adres extracted from the “mail”
attribute in ldap is not automatically filled in the “email adress” field
in privacy idea when enrolling the token.

For ease of use i want this to be already filled in and i want to lock it
down.Op maandag 6 juni 2016 16:10:09 UTC+2 schreef Cornelius Kölbel:

You should consider another approach!
Why should the user enroll an email token himself?

Why don’t you create a script that creates an email token for each user,
who does not already have a token?

In this case you do not need to bother about the user.
You do not need to take care about any misconfiguration, the user may
do!

Kind regards
Cornelius

Am Montag, den 06.06.2016, 07:05 -0700 schrieb jmdeking:

Or make it possible to restrict users from sending email tokens to
external domains outside of our reach.

Op maandag 6 juni 2016 16:02:53 UTC+2 schreef jmdeking:
Hi There,

    I made an ldap resolver so everyone can log in to the server 
    and assign a email token. Only problem for is that the email 
    from ldap is not automatically filled in. 
    Is there any way to make this happen? 
    
    
    Kind Regards, 
    Johan 


Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/e0f39e62-5ef1-4542-9113-3f8fb3f2c63c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

You can run a cron job and use the REST API
http://privacyidea.readthedocs.io/en/latest/modules/api.html

or the command line client.
https://github.com/privacyidea/privacyideaadmAm Montag, den 06.06.2016, 08:23 -0700 schrieb jmdeking:

Thanks a lot for your clear response.

How would one go about to enroll email and sms to everyone?

Op maandag 6 juni 2016 17:11:29 UTC+2 schreef Cornelius Kölbel:
Hi Johan,

    this is not configurable. 
    We could add an extra policy or setting for this token type to
    do so. 
    This would be the same for SMS. 
    If it is important to you, please state a feature request on
    github 
    https://github.com/privacyidea/privacyidea/issues 
    
    Or: You can enroll an email token AND an SMS token to each
    user right 
    away! 
    
    Kind regards 
    Cornelius 
    
    Am Montag, den 06.06.2016, 07:49 -0700 schrieb jmdeking: 
    > I want the user to choose its own authentication methode
    either by sms 
    > or by email. 
    > 
    > 
    > But when logging in as an ad user my email adres extracted
    from the 
    > "mail" attribute in ldap is not automatically filled in the
    "email 
    > adress" field in privacy idea when enrolling the token. 
    > 
    > 
    > For ease of use i want this to be already filled in and i
    want to lock 
    > it down. 
    > 
    > 
    > 
    > Op maandag 6 juni 2016 16:10:09 UTC+2 schreef Cornelius
    Kölbel: 
    >         You should consider another approach! 
    >         Why should the user enroll an email token himself? 
    >         
    >         Why don't you create a script that creates an email
    token for 
    >         each user, 
    >         who does not already have a token? 
    >         
    >         In this case you do not need to bother about the
    user. 
    >         You do not need to take care about any
    misconfiguration, the 
    >         user may 
    >         do! 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Montag, den 06.06.2016, 07:05 -0700 schrieb
    jmdeking: 
    >         > Or make it possible to restrict users from sending
    email 
    >         tokens to 
    >         > external domains outside of our reach. 
    >         > 
    >         > Op maandag 6 juni 2016 16:02:53 UTC+2 schreef
    jmdeking: 
    >         >         Hi There, 
    >         >         
    >         >         
    >         >         I made an ldap resolver so everyone can
    log in to 
    >         the server 
    >         >         and assign a email token. Only problem for
    is that 
    >         the email 
    >         >         from ldap is not automatically filled in. 
    >         >         Is there any way to make this happen? 
    >         >         
    >         >         
    >         >         Kind Regards, 
    >         >         Johan 
    >         > -- 
    >         > Please read the blog post about getting help 
    >         > https://www.privacyidea.org/getting-help/. 
    >         >   
    >         > For professional services and consultancy
    regarding two 
    >         factor 
    >         > authentication please visit 
    >         >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >   
    >         > In an enterprise environment you should get a
    SERVICE LEVEL 
    >         AGREEMENT 
    >         > which suites your needs for SECURITY, AVAILABILITY
    and 
    >         LIABILITY: 
    >         > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         > --- 
    >         > You received this message because you are
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > Visit this group at 
    >         https://groups.google.com/group/privacyidea. 
    >         > To view this discussion on the web visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/e0f39e62-5ef1-4542-9113-3f8fb3f2c63c%40googlegroups.com. 
    >         > For more options, visit
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/aafedd9b-8e19-4544-8c44-5291ed61c14a%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/4b70f855-924f-4b8e-9087-6c1c4e88b0fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

You should consider another approach!
Why should the user enroll an email token himself?

Why don’t you create a script that creates an email token for each user,
who does not already have a token?

In this case you do not need to bother about the user.
You do not need to take care about any misconfiguration, the user may
do!

Kind regards
CorneliusAm Montag, den 06.06.2016, 07:05 -0700 schrieb jmdeking:

Or make it possible to restrict users from sending email tokens to
external domains outside of our reach.

Op maandag 6 juni 2016 16:02:53 UTC+2 schreef jmdeking:
Hi There,

    I made an ldap resolver so everyone can log in to the server
    and assign a email token. Only problem for is that the email
    from ldap is not automatically filled in.
    Is there any way to make this happen?
    
    
    Kind Regards,
    Johan


Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/e0f39e62-5ef1-4542-9113-3f8fb3f2c63c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Or make it possible to restrict users from sending email tokens to external
domains outside of our reach.Op maandag 6 juni 2016 16:02:53 UTC+2 schreef jmdeking:

Hi There,

I made an ldap resolver so everyone can log in to the server and assign a
email token. Only problem for is that the email from ldap is not
automatically filled in.
Is there any way to make this happen?

Kind Regards,
Johan