[Lam-public] privacyIDEA and LAM

Mon, 15 Nov 2021 09:39:50 -0800 

The following is a little complicated, so I apologize in advance.
I've been struggling with getting privacyIDEA to work properly with LAM at same time that my privacyIDEA server is configured to rely on itself for authentication. Meaning, I want the following: 

1. People who have not established a 2FA token can log in to
   privacyIDEA using their LDAP account.
2. Once people have a token, they must use their LDAP password+TOTP to
   log into privacyIDEA.
3. People can use LAM self service, but must establish a token first (I
   direct them to the privacyIDEA server).
4. Once people have a token, they must use their LDAP password in LAM
   self service, then they are prompted for TOTP.
I can get 1 and 2 to work, and I can get 3 and 4 to work. But, I cannot get 1 through 4 to work at the same time.
I admit, there absolutely are things I can configure on the privacyIDEA server that effect the above, but I cannot get them all to work at the same time. I presented this issue to the privacyIDEA forum and the developer indicated that LAM is using the wrong "privacyIDEA endpoint". Here's the thread, with his message being the last one: 

https://community.privacyidea.org/t/webui-value-breaking-non-privacyidea-service-lam/2207
I changed logging to DEBUG on the privacyIDEA server and learned (although I don't fully understand) that the privacyIDEA endpoint "/auth" is indeed in use, and afterwards the "/validate/check" endpoint is being used.
The developer's point is basically that LAM is trying to use the same authentication method that the privacyIDEA server itself is using, so the policies within privacyIDEA that should affect only one of the authentications is affecting both, even though the two systems (LAM and privacyIDEA webui) are using two different ways of authenticating.
Roland, I guess what I'm asking is, if you think this assessment is legitimate, are you inclined to change the plugin in LAM? 

Thanks.

John

--
* - - - - * - - - - * - - - - * - - - - * - - - - * - - - - *
John Maher
Senior Systems and Network Administrator
Department of Biochemistry and & Molecular Biology and
Department of Chemistry
University of Massachusetts - Amherst
voice: 413-577-3120     fax: 413-545-4490

_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public






















					Reply via email to