Thanks, Roland. I mentioned your comment to the privacyIDEA developer
and, for what it's worth, he said:
"I would recommend that a plugin, that wants to know the serial numbers
of a user, should use an administrative service account to do so."
John
On 11/15/21 13:11, Roland Gruber wrote:
Hi John,
thanks for your detailed report. We will look into this.
The background for using /auth is to get the list of possible OTP
serials. But maybe this is not needed any more.
Best regards
Roland
Am 15.11.21 um 18:38 schrieb John Maher:
The following is a little complicated, so I apologize in advance.
I've been struggling with getting privacyIDEA to work properly with
LAM at same time that my privacyIDEA server is configured to rely on
itself for authentication. Meaning, I want the following:
1. People who have not established a 2FA token can log in to
privacyIDEA using their LDAP account.
2. Once people have a token, they must use their LDAP password+TOTP to
log into privacyIDEA.
3. People can use LAM self service, but must establish a token first (I
direct them to the privacyIDEA server).
4. Once people have a token, they must use their LDAP password in LAM
self service, then they are prompted for TOTP.
I can get 1 and 2 to work, and I can get 3 and 4 to work. But, I
cannot get 1 through 4 to work at the same time.
I admit, there absolutely are things I can configure on the
privacyIDEA server that effect the above, but I cannot get them all
to work at the same time. I presented this issue to the privacyIDEA
forum and the developer indicated that LAM is using the wrong
"privacyIDEA endpoint". Here's the thread, with his message being the
last one:
https://community.privacyidea.org/t/webui-value-breaking-non-privacyidea-service-lam/2207
I changed logging to DEBUG on the privacyIDEA server and learned
(although I don't fully understand) that the privacyIDEA endpoint
"/auth" is indeed in use, and afterwards the "/validate/check"
endpoint is being used.
The developer's point is basically that LAM is trying to use the same
authentication method that the privacyIDEA server itself is using, so
the policies within privacyIDEA that should affect only one of the
authentications is affecting both, even though the two systems (LAM
and privacyIDEA webui) are using two different ways of authenticating.
Roland, I guess what I'm asking is, if you think this assessment is
legitimate, are you inclined to change the plugin in LAM?
Thanks.
John
_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public
_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public
--
* - - - - * - - - - * - - - - * - - - - * - - - - * - - - - *
John Maher
Senior Systems and Network Administrator
Department of Biochemistry and & Molecular Biology and
Department of Chemistry
University of Massachusetts - Amherst
voice: 413-577-3120 fax: 413-545-4490
_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public