Problem with a User policy

Hello Cornelius!
It seems to be a bug, but maybe I’m wrong…
I try to use the User policies to restrict a user to enroll only HOTP
tokens with the following actions:
{ “otp_pin_contents”: “n”, “reset”: true, “setpin”: true, “revoke”: true,
“hotp_otplen”: “6”, “hotp_hashlib”: “sha1”, “enrollHOTP”: true,
“otp_pin_maxlength”: “4”, “disable”: true, “resync”: true, “auditlog”:
true, “otp_pin_minlength”: “4” }
but in a result I as a user logged into user realm able to enroll sha-256
and sha-512 tokens, with 8-digit hotp_otplen…

It would be also a nice feature to manage "Generate OTP Key on the Server"
checkbox existance and value as a user policy action

you are right.
I just pushed a commit on this.
https://github.com/privacyidea/privacyidea/issues/303

The policies

  • hotp_otplen
  • hotp_hashlib
    only preset the drop down box.

Awesome!
What is the best option to get the update? To wait for an ubuntu package
update from ppa repository or somehow checkout changes into our server from
github?

And you are right. The “Generate OTP Key on Server” could be controlled by

the policy.

Maybe as a dropdown:

  • allow user to select
  • generate on server
  • enter manually

What do you think?

I think the one you proposed would be the best option in terms of
intuitivity and flexibility>

Hello Sergey,

you are right.
I just pushed a commit on this.

The policies

  • hotp_otplen
  • hotp_hashlib
    only preset the drop down box.

With the above mentioned issue/commit the dropdowns for otplen and
hashlib will not be visible anymore.

And you are right. The “Generate OTP Key on Server” could be controlled
by the policy.

Maybe as a dropdown:

  • allow user to select
  • generate on server
  • enter manually

What do you think?

Kind regards
CorneliusAm Sonntag, den 10.01.2016, 10:54 -0800 schrieb Sergey Kolosovski:

Hello Cornelius!

It seems to be a bug, but maybe I’m wrong…
I try to use the User policies to restrict a user to enroll only HOTP
tokens with the following actions:
{ “otp_pin_contents”: “n”, “reset”: true, “setpin”: true, “revoke”:
true, “hotp_otplen”: “6”, “hotp_hashlib”: “sha1”, “enrollHOTP”: true,
“otp_pin_maxlength”: “4”, “disable”: true, “resync”: true, “auditlog”:
true, “otp_pin_minlength”: “4” }

but in a result I as a user logged into user realm able to enroll
sha-256 and sha-512 tokens, with 8-digit hotp_otplen…

It would be also a nice feature to manage “Generate OTP Key on the
Server” checkbox existance and value as a user policy action


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/c2a0ffb9-8da9-41a5-8ec6-56c3639c3d07%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

unknown-43TABY (80.6 KB)

signature.asc (836 Bytes)

Just for you to be sure that I’m using the right realm, “enrollHOTP”: true works.
Therefore I can enroll ONLY HOTP tokens as expected

    you are right.
    I just pushed a commit on this.
    https://github.com/privacyidea/privacyidea/issues/303
    
    The policies 
    * hotp_otplen
    * hotp_hashlib
    only preset the drop down box.

Awesome!
What is the best option to get the update? To wait for an ubuntu
package update from ppa repository or somehow checkout changes into
our server from github?

    And you are right. The "Generate OTP Key on Server" could be
    controlled by the policy.
    
    Maybe as a dropdown:
    
    * allow user to select
    * generate on server
    * enter manually
    
    What do you think?

I think the one you proposed would be the best option in terms of
intuitivity and flexibility

I realized it would be difficult to implement (more than three lines of
code).
So I choose a policy force_generate:

I would recommend waiting for the PPA update.

Kind regards
CorneliusAm Sonntag, den 10.01.2016, 14:38 -0800 schrieb Sergey Kolosovski:


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/a3fae977-bad7-47fa-aa07-fc79a6049f0f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

unknown-NAYJBY (9.33 KB)

signature.asc (836 Bytes)

Ok, if this policy may be enabled to hotp tokens as well

…of course both.
A policy for each token type.

Kind regards
CorneliusAm Montag, den 11.01.2016, 03:56 -0800 schrieb Sergey Kolosovski:

Ok, if this policy may be enabled to hotp tokens as well

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/5f137309-2842-434d-bcff-455d48aff64b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

good! Thank you, will wait for the further package updates