Re: [Lam-public] privacyIDEA and LAM

Mon, 15 Nov 2021 10:12:49 -0800 

Hi John,

thanks for your detailed report. We will look into this.
The background for using /auth is to get the list of possible OTP serials. But maybe this is not needed any more. 


Best regards

Roland


Am 15.11.21 um 18:38 schrieb John Maher:

The following is a little complicated, so I apologize in advance.


I've been struggling with getting privacyIDEA to work properly with LAM 
at same time that my privacyIDEA server is configured to rely on itself 
for authentication. Meaning, I want the following:


1. People who have not established a 2FA token can log in to
    privacyIDEA using their LDAP account.
2. Once people have a token, they must use their LDAP password+TOTP to
    log into privacyIDEA.
3. People can use LAM self service, but must establish a token first (I
    direct them to the privacyIDEA server).
4. Once people have a token, they must use their LDAP password in LAM
    self service, then they are prompted for TOTP.


I can get 1 and 2 to work, and I can get 3 and 4 to work. But, I cannot 
get 1 through 4 to work at the same time.



I admit, there absolutely are things I can configure on the privacyIDEA 
server that effect the above, but I cannot get them all to work at the 
same time. I presented this issue to the privacyIDEA forum and the 
developer indicated that LAM is using the wrong "privacyIDEA endpoint". 
Here's the thread, with his message being the last one:



https://community.privacyidea.org/t/webui-value-breaking-non-privacyidea-service-lam/2207 




I changed logging to DEBUG on the privacyIDEA server and learned 
(although I don't fully understand) that the privacyIDEA endpoint 
"/auth" is indeed in use, and afterwards the "/validate/check" endpoint 
is being used.



The developer's point is basically that LAM is trying to use the same 
authentication method that the privacyIDEA server itself is using, so 
the policies within privacyIDEA that should affect only one of the 
authentications is affecting both, even though the two systems (LAM and 
privacyIDEA webui) are using two different ways of authenticating.



Roland, I guess what I'm asking is, if you think this assessment is 
legitimate, are you inclined to change the plugin in LAM?


Thanks.

John



_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public




_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public






















					Reply via email to