With one enrollment policy, "There are conflicting tokenlabel definitions!"

Hi there,

We are looking forward to using PrivacyIDEA with OwnCloud and several other
applications. However, we are facing some simple problems with the policy.

We have one enrollment policy defined that sets tokenissuer and tokenlabel
to some sensible values for our organization. When I attempt to create a
token, I receive an error – “There are conflicting tokenlabel
definitions!”. If I remove the tokenlabel value from the policy, I get the
same error for “tokenissuer” definitions. Is this a bug? Is there a default
enrollment policy I need to clear?

I saw https://groups.google.com/forum/#!topic/privacyidea/rRTsUu22Fl8, but
we only have policy that defines tokenlabel.

PrivacyIDEA 2.11.3 installed from the PPA.

Thanks!

Hi Evan,

first I want to point out this great joke, which I stumbled upon a few
days ago:

https://twitter.com/highmeh/status/731660976584425472

No. One policy should not produce conflicting policies.
Can you please send your policy definition?

Thanks a lot
CorneliusAm Donnerstag, den 19.05.2016, 06:50 -0700 schrieb Evan Stoner:

Hi there,

We are looking forward to using PrivacyIDEA with OwnCloud and several
other applications. However, we are facing some simple problems with
the policy.

We have one enrollment policy defined that sets tokenissuer and
tokenlabel to some sensible values for our organization. When I
attempt to create a token, I receive an error – “There are
conflicting tokenlabel definitions!”. If I remove the tokenlabel value
from the policy, I get the same error for “tokenissuer” definitions.
Is this a bug? Is there a default enrollment policy I need to clear?

I saw https://groups.google.com/forum/#!topic/privacyidea/rRTsUu22Fl8,
but we only have policy that defines tokenlabel.

PrivacyIDEA 2.11.3 installed from the PPA.

Thanks!

Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/153066f2-97ac-4717-9941-032280e1b955%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Looks like you have URL-encode special strings to Google
Authenticator: https://github.com/google/google-authenticator/wiki/Key-Uri-Format

Maybe a future enhancement. :)On Thursday, May 19, 2016 at 10:52:06 AM UTC-4, Evan Stoner wrote:

Ah got it, it’s working now without spaces. I missed that note in
get_action_values().

By the way, I did try with single quotes, and the token was created, but
Google Authenticator said it was invalid.

Thanks Cornelius!

On Thursday, May 19, 2016 at 10:37:26 AM UTC-4, Cornelius Kölbel wrote:

Hi Evan,

ok - you might not be pleased.

But please remove the blanks from the tokenissuer and tokenlabel.
-> “Organization_OTP”
-> “@()”

Youknow,blanksarethebeginningofallevilandeatawayourdiskstorage… :wink:

Kind regards
Cornelius

Am Donnerstag, den 19.05.2016, 07:27 -0700 schrieb Evan Stoner:

I should have mentioned, we also have an admin policy (allow
everything for user “admin” on any realm/resolver) and a webui policy
(default tokentype for any user/realm/resolver), but I don’t see where
those would cause the conflict.

name: enrollment
scope: enrollment
action:

  • tokenissuer: Organization OTP
  • tokenlabel: @ ()
    user-realm: none
    user-resolver: none
    user: none
    client: none

On Thursday, May 19, 2016 at 10:12:48 AM UTC-4, Cornelius Kölbel wrote:
Hi Evan,

    first I want to point out this great joke, which I stumbled 
    upon a few 
    days ago: 
    
            https://twitter.com/highmeh/status/731660976584425472 
    
    No. One policy should not produce conflicting policies. 
    Can you please send your policy definition? 
    
    Thanks a lot 
    Cornelius 
    
    
    Am Donnerstag, den 19.05.2016, 06:50 -0700 schrieb Evan 
    Stoner: 
    > Hi there, 
    > 
    > 
    > We are looking forward to using PrivacyIDEA with OwnCloud 
    and several 
    > other applications. However, we are facing some simple 
    problems with 
    > the policy. 
    > 
    > 
    > We have one enrollment policy defined that sets tokenissuer 
    and 
    > tokenlabel to some sensible values for our organization. 
    When I 
    > attempt to create a token, I receive an error -- "There are 
    > conflicting tokenlabel definitions!". If I remove the 
    tokenlabel value 
    > from the policy, I get the same error for "tokenissuer" 
    definitions. 
    > Is this a bug? Is there a default enrollment policy I need 
    to clear? 
    > 
    > 
    > I saw https://groups.google.com/forum/#! 
    topic/privacyidea/rRTsUu22Fl8, 
    > but we only have policy that defines tokenlabel. 
    > 
    > 
    > PrivacyIDEA 2.11.3 installed from the PPA. 
    > 
    > 
    > Thanks! 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two 
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL 
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and 
    LIABILITY: 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > Visit this group at 
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/153066f2-97ac-4717-9941-032280e1b955%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/f1ead21d-293a-4cf4-9779-05e5593756ec%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

I just fixed the white spaces. Not big hassle.
I am just running the tests.

Will be in 2.13, which will be released next week.

Kind regards
CorneliusAm Donnerstag, den 19.05.2016, 07:55 -0700 schrieb Evan Stoner:

Looks like you have URL-encode special strings to Google
Authenticator: https://github.com/google/google-authenticator/wiki/Key-Uri-Format

Maybe a future enhancement. :slight_smile:

On Thursday, May 19, 2016 at 10:52:06 AM UTC-4, Evan Stoner wrote:
Ah got it, it’s working now without spaces. I missed that note
in get_action_values().

    By the way, I did try with single quotes, and the token was
    created, but Google Authenticator said it was invalid.
    
    
    Thanks Cornelius!
    
    On Thursday, May 19, 2016 at 10:37:26 AM UTC-4, Cornelius Kölbel wrote:
            Hi Evan, 
            
            ok - you might not be pleased. 
            
            But please remove the blanks from the tokenissuer and
            tokenlabel. 
            -> "Organization_OTP" 
            -> "<u>@<r>(<s>)" 
            
            Youknow,blanksarethebeginningofallevilandeatawayourdiskstorage... ;-) 
            
            Kind regards 
            Cornelius 
            
            Am Donnerstag, den 19.05.2016, 07:27 -0700 schrieb
            Evan Stoner: 
            > I should have mentioned, we also have an admin
            policy (allow 
            > everything for user "admin" on any realm/resolver)
            and a webui policy 
            > (default tokentype for any user/realm/resolver), but
            I don't see where 
            > those would cause the conflict. 
            > 
            > 
            > name: enrollment 
            > scope: enrollment 
            > action: 
            >  - tokenissuer: Organization OTP 
            >  - tokenlabel: <u>@<r> (<s>) 
            > user-realm: none 
            > user-resolver: none 
            > user: none 
            > client: none 
            > 
            > On Thursday, May 19, 2016 at 10:12:48 AM UTC-4, Cornelius Kölbel  wrote: 
            >         Hi Evan, 
            >         
            >         first I want to point out this great joke,
            which I stumbled 
            >         upon a few 
            >         days ago: 
            >         
            >
            https://twitter.com/highmeh/status/731660976584425472 
            >         
            >         No. One policy should not produce
            conflicting policies. 
            >         Can you please send your policy definition? 
            >         
            >         Thanks a lot 
            >         Cornelius 
            >         
            >         
            >         Am Donnerstag, den 19.05.2016, 06:50 -0700
            schrieb Evan 
            >         Stoner: 
            >         > Hi there, 
            >         > 
            >         > 
            >         > We are looking forward to using
            PrivacyIDEA with OwnCloud 
            >         and several 
            >         > other applications. However, we are facing
            some simple 
            >         problems with 
            >         > the policy. 
            >         > 
            >         > 
            >         > We have one enrollment policy defined that
            sets tokenissuer 
            >         and 
            >         > tokenlabel to some sensible values for our
            organization. 
            >         When I 
            >         > attempt to create a token, I receive an
            error -- "There are 
            >         > conflicting tokenlabel definitions!". If I
            remove the 
            >         tokenlabel value 
            >         > from the policy, I get the same error for
            "tokenissuer" 
            >         definitions. 
            >         > Is this a bug? Is there a default
            enrollment policy I need 
            >         to clear? 
            >         > 
            >         > 
            >         > I saw https://groups.google.com/forum/#! 
            >         topic/privacyidea/rRTsUu22Fl8, 
            >         > but we only have policy that defines
            tokenlabel. 
            >         > 
            >         > 
            >         > PrivacyIDEA 2.11.3 installed from the
            PPA. 
            >         > 
            >         > 
            >         > Thanks! 
            >         > -- 
            >         > Please read the blog post about getting
            help 
            >         >
            https://www.privacyidea.org/getting-help/. 
            >         >   
            >         > For professional services and consultancy
            regarding two 
            >         factor 
            >         > authentication please visit 
            >         >
            https://netknights.it/en/leistungen/one-time-services/ 
            >         >   
            >         > In an enterprise environment you should
            get a SERVICE LEVEL 
            >         AGREEMENT 
            >         > which suites your needs for SECURITY,
            AVAILABILITY and 
            >         LIABILITY: 
            >         > 
            >
            https://netknights.it/en/leistungen/service-level-agreements/ 
            >         > --- 
            >         > You received this message because you are
            subscribed to the 
            >         Google 
            >         > Groups "privacyidea" group. 
            >         > To unsubscribe from this group and stop
            receiving emails 
            >         from it, send 
            >         > an email to
            privacyidea...@googlegroups.com. 
            >         > To post to this group, send email to 
            >         priva...@googlegroups.com. 
            >         > Visit this group at 
            >
            https://groups.google.com/group/privacyidea. 
            >         > To view this discussion on the web visit 
            >         > 
            >
            https://groups.google.com/d/msgid/privacyidea/153066f2-97ac-4717-9941-032280e1b955%40googlegroups.com. 
            >         > For more options, visit
            https://groups.google.com/d/optout. 
            >         
            >         -- 
            >         Cornelius Kölbel 
            >         corneliu...@netknights.it 
            >         +49 151 2960 1417 
            >         
            >         NetKnights GmbH 
            >         http://www.netknights.it 
            >         Landgraf-Karl-Str. 19, 34131 Kassel,
            Germany 
            >         Tel: +49 561 3166797, Fax: +49 561 3166798 
            >         
            >         Amtsgericht Kassel, HRB 16405 
            >         Geschäftsführer: Cornelius Kölbel 
            >         
            >         
            > -- 
            > Please read the blog post about getting help 
            > https://www.privacyidea.org/getting-help/. 
            >   
            > For professional services and consultancy regarding
            two factor 
            > authentication please visit 
            >
            https://netknights.it/en/leistungen/one-time-services/ 
            >   
            > In an enterprise environment you should get a
            SERVICE LEVEL AGREEMENT 
            > which suites your needs for SECURITY, AVAILABILITY
            and LIABILITY: 
            >
            https://netknights.it/en/leistungen/service-level-agreements/ 
            > --- 
            > You received this message because you are subscribed
            to the Google 
            > Groups "privacyidea" group. 
            > To unsubscribe from this group and stop receiving
            emails from it, send 
            > an email to privacyidea...@googlegroups.com. 
            > To post to this group, send email to
            priva...@googlegroups.com. 
            > Visit this group at
            https://groups.google.com/group/privacyidea. 
            > To view this discussion on the web visit 
            >
            https://groups.google.com/d/msgid/privacyidea/f1ead21d-293a-4cf4-9779-05e5593756ec%40googlegroups.com. 
            > For more options, visit
            https://groups.google.com/d/optout. 
            
            -- 
            Cornelius Kölbel 
            corneliu...@netknights.it 
            +49 151 2960 1417 
            
            NetKnights GmbH 
            http://www.netknights.it 
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
            Tel: +49 561 3166797, Fax: +49 561 3166798 
            
            Amtsgericht Kassel, HRB 16405 
            Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/441650da-b058-4c8e-b599-94dbc410c34b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Ah got it, it’s working now without spaces. I missed that note in
get_action_values().

By the way, I did try with single quotes, and the token was created, but
Google Authenticator said it was invalid.

Thanks Cornelius!On Thursday, May 19, 2016 at 10:37:26 AM UTC-4, Cornelius Kölbel wrote:

Hi Evan,

ok - you might not be pleased.

But please remove the blanks from the tokenissuer and tokenlabel.
-> “Organization_OTP”
-> “@()”

Youknow,blanksarethebeginningofallevilandeatawayourdiskstorage… :wink:

Kind regards
Cornelius

Am Donnerstag, den 19.05.2016, 07:27 -0700 schrieb Evan Stoner:

I should have mentioned, we also have an admin policy (allow
everything for user “admin” on any realm/resolver) and a webui policy
(default tokentype for any user/realm/resolver), but I don’t see where
those would cause the conflict.

name: enrollment
scope: enrollment
action:

  • tokenissuer: Organization OTP
  • tokenlabel: @ ()
    user-realm: none
    user-resolver: none
    user: none
    client: none

On Thursday, May 19, 2016 at 10:12:48 AM UTC-4, Cornelius Kölbel wrote:
Hi Evan,

    first I want to point out this great joke, which I stumbled 
    upon a few 
    days ago: 
    
            https://twitter.com/highmeh/status/731660976584425472 
    
    No. One policy should not produce conflicting policies. 
    Can you please send your policy definition? 
    
    Thanks a lot 
    Cornelius 
    
    
    Am Donnerstag, den 19.05.2016, 06:50 -0700 schrieb Evan 
    Stoner: 
    > Hi there, 
    > 
    > 
    > We are looking forward to using PrivacyIDEA with OwnCloud 
    and several 
    > other applications. However, we are facing some simple 
    problems with 
    > the policy. 
    > 
    > 
    > We have one enrollment policy defined that sets tokenissuer 
    and 
    > tokenlabel to some sensible values for our organization. 
    When I 
    > attempt to create a token, I receive an error -- "There are 
    > conflicting tokenlabel definitions!". If I remove the 
    tokenlabel value 
    > from the policy, I get the same error for "tokenissuer" 
    definitions. 
    > Is this a bug? Is there a default enrollment policy I need 
    to clear? 
    > 
    > 
    > I saw https://groups.google.com/forum/#! 
    topic/privacyidea/rRTsUu22Fl8, 
    > but we only have policy that defines tokenlabel. 
    > 
    > 
    > PrivacyIDEA 2.11.3 installed from the PPA. 
    > 
    > 
    > Thanks! 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two 
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL 
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and 
    LIABILITY: 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > Visit this group at 
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/153066f2-97ac-4717-9941-032280e1b955%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/f1ead21d-293a-4cf4-9779-05e5593756ec%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Evan,

ok - you might not be pleased.

But please remove the blanks from the tokenissuer and tokenlabel.
-> “Organization_OTP”
-> “@()”

Youknow,blanksarethebeginningofallevilandeatawayourdiskstorage… :wink:

Kind regards
CorneliusAm Donnerstag, den 19.05.2016, 07:27 -0700 schrieb Evan Stoner:

I should have mentioned, we also have an admin policy (allow
everything for user “admin” on any realm/resolver) and a webui policy
(default tokentype for any user/realm/resolver), but I don’t see where
those would cause the conflict.

name: enrollment
scope: enrollment
action:

  • tokenissuer: Organization OTP
  • tokenlabel: @ ()
    user-realm: none
    user-resolver: none
    user: none
    client: none

On Thursday, May 19, 2016 at 10:12:48 AM UTC-4, Cornelius Kölbel wrote:
Hi Evan,

    first I want to point out this great joke, which I stumbled
    upon a few 
    days ago: 
    
            https://twitter.com/highmeh/status/731660976584425472 
    
    No. One policy should not produce conflicting policies. 
    Can you please send your policy definition? 
    
    Thanks a lot 
    Cornelius 
    
    
    Am Donnerstag, den 19.05.2016, 06:50 -0700 schrieb Evan
    Stoner: 
    > Hi there, 
    > 
    > 
    > We are looking forward to using PrivacyIDEA with OwnCloud
    and several 
    > other applications. However, we are facing some simple
    problems with 
    > the policy. 
    > 
    > 
    > We have one enrollment policy defined that sets tokenissuer
    and 
    > tokenlabel to some sensible values for our organization.
    When I 
    > attempt to create a token, I receive an error -- "There are 
    > conflicting tokenlabel definitions!". If I remove the
    tokenlabel value 
    > from the policy, I get the same error for "tokenissuer"
    definitions. 
    > Is this a bug? Is there a default enrollment policy I need
    to clear? 
    > 
    > 
    > I saw https://groups.google.com/forum/#!
    topic/privacyidea/rRTsUu22Fl8, 
    > but we only have policy that defines tokenlabel. 
    > 
    > 
    > PrivacyIDEA 2.11.3 installed from the PPA. 
    > 
    > 
    > Thanks! 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/153066f2-97ac-4717-9941-032280e1b955%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/f1ead21d-293a-4cf4-9779-05e5593756ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

I should have mentioned, we also have an admin policy (allow everything for
user “admin” on any realm/resolver) and a webui policy (default tokentype
for any user/realm/resolver), but I don’t see where those would cause the
conflict.

name: enrollment
scope: enrollment
action:

  • tokenissuer: Organization OTP
  • tokenlabel: @ ()
    user-realm: none
    user-resolver: none
    user: none
    client: noneOn Thursday, May 19, 2016 at 10:12:48 AM UTC-4, Cornelius Kölbel wrote:

Hi Evan,

first I want to point out this great joke, which I stumbled upon a few
days ago:

    https://twitter.com/highmeh/status/731660976584425472 

No. One policy should not produce conflicting policies.
Can you please send your policy definition?

Thanks a lot
Cornelius

Am Donnerstag, den 19.05.2016, 06:50 -0700 schrieb Evan Stoner:

Hi there,

We are looking forward to using PrivacyIDEA with OwnCloud and several
other applications. However, we are facing some simple problems with
the policy.

We have one enrollment policy defined that sets tokenissuer and
tokenlabel to some sensible values for our organization. When I
attempt to create a token, I receive an error – “There are
conflicting tokenlabel definitions!”. If I remove the tokenlabel value
from the policy, I get the same error for “tokenissuer” definitions.
Is this a bug? Is there a default enrollment policy I need to clear?

I saw https://groups.google.com/forum/#!topic/privacyidea/rRTsUu22Fl8,
but we only have policy that defines tokenlabel.

PrivacyIDEA 2.11.3 installed from the PPA.

Thanks!

Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/153066f2-97ac-4717-9941-032280e1b955%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hello Even,

thanks a lot.
I just fixed this.

Kind regards
CorneliusAm Donnerstag, den 19.05.2016, 07:55 -0700 schrieb Evan Stoner:

Looks like you have URL-encode special strings to Google
Authenticator: https://github.com/google/google-authenticator/wiki/Key-Uri-Format

Maybe a future enhancement. :slight_smile:

On Thursday, May 19, 2016 at 10:52:06 AM UTC-4, Evan Stoner wrote:
Ah got it, it’s working now without spaces. I missed that note
in get_action_values().

    By the way, I did try with single quotes, and the token was
    created, but Google Authenticator said it was invalid.
    
    
    Thanks Cornelius!
    
    On Thursday, May 19, 2016 at 10:37:26 AM UTC-4, Cornelius Kölbel wrote:
            Hi Evan, 
            
            ok - you might not be pleased. 
            
            But please remove the blanks from the tokenissuer and
            tokenlabel. 
            -> "Organization_OTP" 
            -> "<u>@<r>(<s>)" 
            
            Youknow,blanksarethebeginningofallevilandeatawayourdiskstorage... ;-) 
            
            Kind regards 
            Cornelius 
            
            Am Donnerstag, den 19.05.2016, 07:27 -0700 schrieb
            Evan Stoner: 
            > I should have mentioned, we also have an admin
            policy (allow 
            > everything for user "admin" on any realm/resolver)
            and a webui policy 
            > (default tokentype for any user/realm/resolver), but
            I don't see where 
            > those would cause the conflict. 
            > 
            > 
            > name: enrollment 
            > scope: enrollment 
            > action: 
            >  - tokenissuer: Organization OTP 
            >  - tokenlabel: <u>@<r> (<s>) 
            > user-realm: none 
            > user-resolver: none 
            > user: none 
            > client: none 
            > 
            > On Thursday, May 19, 2016 at 10:12:48 AM UTC-4, Cornelius Kölbel  wrote: 
            >         Hi Evan, 
            >         
            >         first I want to point out this great joke,
            which I stumbled 
            >         upon a few 
            >         days ago: 
            >         
            >
            https://twitter.com/highmeh/status/731660976584425472 
            >         
            >         No. One policy should not produce
            conflicting policies. 
            >         Can you please send your policy definition? 
            >         
            >         Thanks a lot 
            >         Cornelius 
            >         
            >         
            >         Am Donnerstag, den 19.05.2016, 06:50 -0700
            schrieb Evan 
            >         Stoner: 
            >         > Hi there, 
            >         > 
            >         > 
            >         > We are looking forward to using
            PrivacyIDEA with OwnCloud 
            >         and several 
            >         > other applications. However, we are facing
            some simple 
            >         problems with 
            >         > the policy. 
            >         > 
            >         > 
            >         > We have one enrollment policy defined that
            sets tokenissuer 
            >         and 
            >         > tokenlabel to some sensible values for our
            organization. 
            >         When I 
            >         > attempt to create a token, I receive an
            error -- "There are 
            >         > conflicting tokenlabel definitions!". If I
            remove the 
            >         tokenlabel value 
            >         > from the policy, I get the same error for
            "tokenissuer" 
            >         definitions. 
            >         > Is this a bug? Is there a default
            enrollment policy I need 
            >         to clear? 
            >         > 
            >         > 
            >         > I saw https://groups.google.com/forum/#! 
            >         topic/privacyidea/rRTsUu22Fl8, 
            >         > but we only have policy that defines
            tokenlabel. 
            >         > 
            >         > 
            >         > PrivacyIDEA 2.11.3 installed from the
            PPA. 
            >         > 
            >         > 
            >         > Thanks! 
            >         > -- 
            >         > Please read the blog post about getting
            help 
            >         >
            https://www.privacyidea.org/getting-help/. 
            >         >   
            >         > For professional services and consultancy
            regarding two 
            >         factor 
            >         > authentication please visit 
            >         >
            https://netknights.it/en/leistungen/one-time-services/ 
            >         >   
            >         > In an enterprise environment you should
            get a SERVICE LEVEL 
            >         AGREEMENT 
            >         > which suites your needs for SECURITY,
            AVAILABILITY and 
            >         LIABILITY: 
            >         > 
            >
            https://netknights.it/en/leistungen/service-level-agreements/ 
            >         > --- 
            >         > You received this message because you are
            subscribed to the 
            >         Google 
            >         > Groups "privacyidea" group. 
            >         > To unsubscribe from this group and stop
            receiving emails 
            >         from it, send 
            >         > an email to
            privacyidea...@googlegroups.com. 
            >         > To post to this group, send email to 
            >         priva...@googlegroups.com. 
            >         > Visit this group at 
            >
            https://groups.google.com/group/privacyidea. 
            >         > To view this discussion on the web visit 
            >         > 
            >
            https://groups.google.com/d/msgid/privacyidea/153066f2-97ac-4717-9941-032280e1b955%40googlegroups.com. 
            >         > For more options, visit
            https://groups.google.com/d/optout. 
            >         
            >         -- 
            >         Cornelius Kölbel 
            >         corneliu...@netknights.it 
            >         +49 151 2960 1417 
            >         
            >         NetKnights GmbH 
            >         http://www.netknights.it 
            >         Landgraf-Karl-Str. 19, 34131 Kassel,
            Germany 
            >         Tel: +49 561 3166797, Fax: +49 561 3166798 
            >         
            >         Amtsgericht Kassel, HRB 16405 
            >         Geschäftsführer: Cornelius Kölbel 
            >         
            >         
            > -- 
            > Please read the blog post about getting help 
            > https://www.privacyidea.org/getting-help/. 
            >   
            > For professional services and consultancy regarding
            two factor 
            > authentication please visit 
            >
            https://netknights.it/en/leistungen/one-time-services/ 
            >   
            > In an enterprise environment you should get a
            SERVICE LEVEL AGREEMENT 
            > which suites your needs for SECURITY, AVAILABILITY
            and LIABILITY: 
            >
            https://netknights.it/en/leistungen/service-level-agreements/ 
            > --- 
            > You received this message because you are subscribed
            to the Google 
            > Groups "privacyidea" group. 
            > To unsubscribe from this group and stop receiving
            emails from it, send 
            > an email to privacyidea...@googlegroups.com. 
            > To post to this group, send email to
            priva...@googlegroups.com. 
            > Visit this group at
            https://groups.google.com/group/privacyidea. 
            > To view this discussion on the web visit 
            >
            https://groups.google.com/d/msgid/privacyidea/f1ead21d-293a-4cf4-9779-05e5593756ec%40googlegroups.com. 
            > For more options, visit
            https://groups.google.com/d/optout. 
            
            -- 
            Cornelius Kölbel 
            corneliu...@netknights.it 
            +49 151 2960 1417 
            
            NetKnights GmbH 
            http://www.netknights.it 
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
            Tel: +49 561 3166797, Fax: +49 561 3166798 
            
            Amtsgericht Kassel, HRB 16405 
            Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/441650da-b058-4c8e-b599-94dbc410c34b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)