The following is a little complicated, so I apologize in advance.
I've been struggling with getting privacyIDEA to work properly with LAM
at same time that my privacyIDEA server is configured to rely on itself
for authentication. Meaning, I want the following:
1. People who have not established a 2FA token can log in to
privacyIDEA using their LDAP account.
2. Once people have a token, they must use their LDAP password+TOTP to
log into privacyIDEA.
3. People can use LAM self service, but must establish a token first (I
direct them to the privacyIDEA server).
4. Once people have a token, they must use their LDAP password in LAM
self service, then they are prompted for TOTP.
I can get 1 and 2 to work, and I can get 3 and 4 to work. But, I cannot
get 1 through 4 to work at the same time.
I admit, there absolutely are things I can configure on the privacyIDEA
server that effect the above, but I cannot get them all to work at the
same time. I presented this issue to the privacyIDEA forum and the
developer indicated that LAM is using the wrong "privacyIDEA endpoint".
Here's the thread, with his message being the last one:
https://community.privacyidea.org/t/webui-value-breaking-non-privacyidea-service-lam/2207
I changed logging to DEBUG on the privacyIDEA server and learned
(although I don't fully understand) that the privacyIDEA endpoint
"/auth" is indeed in use, and afterwards the "/validate/check" endpoint
is being used.
The developer's point is basically that LAM is trying to use the same
authentication method that the privacyIDEA server itself is using, so
the policies within privacyIDEA that should affect only one of the
authentications is affecting both, even though the two systems (LAM and
privacyIDEA webui) are using two different ways of authenticating.
Roland, I guess what I'm asking is, if you think this assessment is
legitimate, are you inclined to change the plugin in LAM?
Thanks.
John
--
* - - - - * - - - - * - - - - * - - - - * - - - - * - - - - *
John Maher
Senior Systems and Network Administrator
Department of Biochemistry and & Molecular Biology and
Department of Chemistry
University of Massachusetts - Amherst
voice: 413-577-3120 fax: 413-545-4490
_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public