User Token Visibility

So, I just did the following:

  • Created a new Resolver
  • Add this to my existing default Realm, with a higher priority than the
    existing LdapResolver

As a result, it appears that all of the tokens assigned to a user are no
longer visible to that user, unless they (tokens) are also reassigned to
the new Resolver.

Is this correct behavior? As the user has no control over the Resolver,
will I have to re-assign all of my existing tokens?

Thanks,
-Kris

Kris Lou
@Kris_Lou

I had seen that – I just wasn’t aware that tokens were also tied to
specific resolvers.

In my case, I switched from querying a specific DC to querying the domain,
and allowing DNS to handle that portion. I don’t have a lot of users, so
it wasn’t a huge deal to make the switch.

But if a Resolver target would need to be replaced in a much larger
organization, that could be a LOT of work to troubleshoot. On the other
hand, I suppose I could only change the Server URI and not create a new
Resolver.

Kris Lou
@Kris_LouOn Mon, May 1, 2017 at 12:36 AM, Cornelius Kölbel < cornelius.koelbel@netknights.it> wrote:

Hi Kris,

http://privacyidea.readthedocs.io/en/latest/configuration/realms.html?
highlight=resolver%20priority#resolver-priority
a lower number means a higher priority.
Just like when you are #1 in real life :wink:

Kind regards
Cornelius

Am Freitag, 28. April 2017 21:01:29 UTC+2 schrieb Kris Lou:

So, I just did the following:

  • Created a new Resolver
  • Add this to my existing default Realm, with a higher priority than
    the existing LdapResolver

As a result, it appears that all of the tokens assigned to a user are no
longer visible to that user, unless they (tokens) are also reassigned to
the new Resolver.

Is this correct behavior? As the user has no control over the Resolver,
will I have to re-assign all of my existing tokens?

Thanks,
-Kris

Kris Lou
@Kris_Lou


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google Groups
"privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/
msgid/privacyidea/e9b826f0-6bb1-4486-a48d-2f9660961bba%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/e9b826f0-6bb1-4486-a48d-2f9660961bba%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Hi Kris,

http://privacyidea.readthedocs.io/en/latest/configuration/realms.html?highlight=resolver%20priority#resolver-priority
a lower number means a higher priority.
Just like when you are #1 in real life :wink:

Kind regards
CorneliusAm Freitag, 28. April 2017 21:01:29 UTC+2 schrieb Kris Lou:

So, I just did the following:

  • Created a new Resolver
  • Add this to my existing default Realm, with a higher priority than the
    existing LdapResolver

As a result, it appears that all of the tokens assigned to a user are no
longer visible to that user, unless they (tokens) are also reassigned to
the new Resolver.

Is this correct behavior? As the user has no control over the Resolver,
will I have to re-assign all of my existing tokens?

Thanks,
-Kris

Kris Lou
klou@themusiclink.net

You would reconfigure the resolver - right. No big deal.Am Montag, 1. Mai 2017 18:41:13 UTC+2 schrieb Kris Lou:

I had seen that – I just wasn’t aware that tokens were also tied to
specific resolvers.

In my case, I switched from querying a specific DC to querying the domain,
and allowing DNS to handle that portion. I don’t have a lot of users, so
it wasn’t a huge deal to make the switch.

But if a Resolver target would need to be replaced in a much larger
organization, that could be a LOT of work to troubleshoot. On the other
hand, I suppose I could only change the Server URI and not create a new
Resolver.

Kris Lou
klou@themusiclink.net

On Mon, May 1, 2017 at 12:36 AM, Cornelius Kölbel < @cornelinux> wrote:

Hi Kris,

http://privacyidea.readthedocs.io/en/latest/configuration/realms.html?highlight=resolver%20priority#resolver-priority
a lower number means a higher priority.
Just like when you are #1 in real life :wink:

Kind regards
Cornelius

Am Freitag, 28. April 2017 21:01:29 UTC+2 schrieb Kris Lou:

So, I just did the following:

  • Created a new Resolver
  • Add this to my existing default Realm, with a higher priority than
    the existing LdapResolver

As a result, it appears that all of the tokens assigned to a user are no
longer visible to that user, unless they (tokens) are also reassigned to
the new Resolver.

Is this correct behavior? As the user has no control over the Resolver,
will I have to re-assign all of my existing tokens?

Thanks,
-Kris

Kris Lou
klou@themusiclink.net


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google Groups
"privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/e9b826f0-6bb1-4486-a48d-2f9660961bba%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/e9b826f0-6bb1-4486-a48d-2f9660961bba%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.