Migrate a user token from one resolver to another within the same realm.

Hi,

Several resolvers (1 and 2) with different policies were created and used for different Active Directory (AD) groups. Logic based on resolver priorities was used. If a user is moved to a different resolver, they are left without a token. How can this issue be resolved? (There are many users).

A user in privacyIDEA is identified via the triplet (realm, resolver, userid).

So if “a user is moved” to a different resolver… Wait - you can not move a user to a different resolver. You are creating a new resolver, that finds an object in AD in a different way.

Or you move the user object in AD or change the obejct in AD, so that a diffferent resolver finds this user object.

For privacyIDEA this is still a different user. You might find this counter intuitive. But hey, that is the way privacyIDEA works. And it makes sense in a lot of cases. Thus one object in AD can take different roles in privacyIDEA.

Read 5.2. Realms — privacyIDEA 3.12 documentation and 5.1. UserIdResolvers — privacyIDEA 3.12 documentation .

If there is a place, that does not makes sense, please drop us a note.

Tokens are assigned to users via this triplet. So if one of this changes the new user will have no token assigned.

The token assignment is stored in the table `TokenOwner`.

See 16.3.1. The database model — privacyIDEA 3.12 documentation

There is no ready made way to “migrate” users. You could do this via script on the lib level or directly in the database.

You may also consider asking NetKnights for professional support.