Hello,
I am trying to set up local admin accounts so that they first have to log in with their normal username/password and then log in with their TOTP token, for example.
This is already set up for normal users and works perfectly. Unfortunately, this policy does not seem to work for admin accounts.
In the policy “login_mode: privacyIDEA”
and in the further policy
“challenge_response: totp hotp yubikey webauthn | otppin: userstore | reset_all_user_tokens: true”
is configured.
This corresponds exactly to the guidelines for normal users.
What do I have to do differently so that it works like for users?
Kind regards
Please read the docs about admins:
It is not possible to add a 2nd factor to internal admins, since these are not users to privacyIDEA by intended design.
If you want to have admins with a 2nd factor, you need to start with administrative realms.
I have already created a ‘passwdresolver’ with the local users and created the admin realm ‘localuser’ for it. In the pi.cfg the realm is included as a super user realm ‘SUPERUSER_REALM: [localuser]’.
Nevertheless, I have the problems described above. Or have I misunderstood something?
You are not describing your problem in detail.
What are you doing?
What are you expecting?
And what is happening?
I have a hunch what you are trying to do and what happens, but I’d rather let you describe your situation yourself.
Ok.
So first I have my local admin accaounts.
For this accaounts I have createt a ‘passwdresolver’, beside that we have a ‘ldapresolver’.
The ‘passwdresolver’ is connectet to the ‘localuser’ realm. The ‘ldapresolver’ is connectet to the ‘employees’ Realm.
For the ‘employees’ realm we have policys that all the users need to authenticate with MFA on the PI WebUI.
So i have copied the policys and changed it for the ‘localuser’ realm. Also I have configured a ‘SUPERUSER_REALM’ in the pi.cfg. In this su_realm i included the ‘localuser’ realm.
What I am expecting is that the local user can authenticate with MFA on the PI WebUI.
But this dosent work. I can create Token for the ‘localuser’ but if I try to login the user only needs to login with username/password.
The passwdresolver does not support otppin=userstore.
But if i am getting it right if I use otppin=none or otppin=tokenpin I need to authenticate with the "OTP or with the “OTP Pin” + the “OTP” but neither of them works.
Or does it generally not work for a passwdresolver?
In your initial post you mentioned optpin=userstore.
The information you are providing appears rather unstructured to me, so this is only guessing and hinting.
You need to debug you problem. If you fail to authenticate, you are most probably missing something in your configuration.
Take a look at the audit log. There you will see the login request (/auth). It will say why an authentication succeeds or why an authentication fails. It will also mention which policies were used. This will give you the clues how the privacyIDEA system processed the login request due to your config and make you realize where the config does not match your expectations/assumptions. It could also be that you are not specifying the user realm during login (learn about “default realm”)
But this is the point where I should stop guessing.