-
Notifications
You must be signed in to change notification settings - Fork 317
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
selecting/limiting admin(s) within a declared super_realm #701
Comments
The mailing list would be a great place to ask this question. If you do not understand this, then obviously we have to improve this part of the documentation. Please tell, at which part we need to add some more details, so that we can improve this. Thanks a lot! |
Thank for the immediate response! I was just about to comment additional infos on this, when I saw you reply. I had to test again. This helped me understanding the connection between the declaration of a realm as SUPER_REALM - http://privacyidea.readthedocs.io/en/latest/faq/admins.html . Maybe include this as reference? I was able to see the admin functions for my admin users but I still have one problem! :-( So, here is what I did; BUT here is the problem. All of my users in LDAP became admins. :-( Is this possible with just one realm? Update:
The only drawback for me with this Setup is that my policy webui tokenwizard = true does not prompt when a user has NO TOKEN because I have a authentication policy which does passthru = userstore which is triggered when the user is added in the parameter user = 'user1', 'user2', 'user3'. I use this so I can impose the users to first mail me or the admin for an activation (for them to be allowed to use 2FA). If I just use the default SUPER_REALM = 'superuser' then I will have only the default 'admin' created from the pi-manage. If ever there are ideas or better implementation/solution to my setup please do post a comment. Thanks a lot! |
If you want LDAP users to be admin, you need to create a realm and declare this to be an admin realm. Now got to pi.cfg and configure
Users logging in as Honestly, if you need any more help to setup your rather enterprizy environment, drop me a note! |
thanks for your response! Ill try to figure this one out. Maybe Im missing some parameters in the policies i have. |
Setup
Privacyidea 2.18
Ubuntu 16 xenial
mysql
apache2
What I did
I tried creating policy for admins using the following parameters:
What I expect
I expected that the admin policy be created and be valid for the indicated users in "admin:"
Outcome
The policy is created BUT! afterwards upon logging in again with one the the ADMIN-USERS (admin, mullgerb, pwblute), I could not do anything except for viewing all tokens of users.
NOTE: I left a window-tab with the admin still logged in (added through first initialitaion using pi-manage) and tried to disable the created admin-policy and a red bubble threw an ERROR with:
"Admin actions are defined, but the action policydelete is not allowed!"
Conclusion/Question
If I create the admin-policy the initial admin (configured at start with pi-manage admin add admin admin@localhost) loose all the functions of a superuser admin. :-(
Regards,
The text was updated successfully, but these errors were encountered: