Seeing User Resolver in Token Enrollment


im restructuring some existing Privacyidea Systems while upgrading from 3.2 and wanted to give me the possibility to filter by realm and resolver better.

now i have some tokens i have to import or create before i have the in the Database or don´t know the User yet.

when i have multiple Resolvers checking the same AD/LDAP and a User is in multiple Groups and thereofre shows in multiple resolvers it has the same ID but i cant see the Resolver when assigning token which is kinda Annoying (User x is in 5 Groups, lets try 4 times before we have the correct one…). wouldn´t be the slightest problems if i didnt want to have specific rules for some Realms/resolvers.

right now everything is just put into one big realm (except admins)with one Resolver which is used for VPN. but i want to seperate some into Groups according to their AD Group which works fine until you want to enroll actual Token to them and i have multiple resolvers in one realm that they belong to.

so, is there a Possibility to see the resolver when enrolling Token (in the Dropdown where the name and ID is shown)? maybe some Option i missed?

privacyIDEA does not support to address a user several times in one realm from different resolvers.

There can be the same user several times in a realm originating from different resolvers. But usually you will not be able to address these different objects. It is only to - let’s say - overwrite user objects from one resolver with a user object from a different resolver.

Bottomline: Usually you need to assure, that there is only one user with a given username in one realm.

…or you would easily end up with a lot of inconsistancies.

Why do you have several resolvers in the first place anyways?
What you probably want to do is fetch all users in one resolver an then assign policies based on user attributes (like the group membership).


i have 5+ Domains so i have to have multiple Resolvers or multiple Privacyidea Servers with one Domain resolver each which would lead to other Problems.

you are right, it should be easier to do it by AD Groupmembership… it was just so “obvious” for me to have it split up in several resolvers because its easy to see how User Groups from AD are reflected in Privacyidea. im not the only Admin here, otherwise i wouldn´t realy care since i know my systems pretty well.

i´ll leave it in the Old Setup with one Resolver per Domain and have my Policies look for AD Groups.