Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jun 15 08:40
    adamboutcher commented #26
  • Jun 15 08:39
    adamboutcher commented #26
  • Jun 15 08:38
    adamboutcher commented #26
  • Jun 14 10:07
    adamboutcher commented #26
  • Jun 07 08:06

    lukasmatusiewicz on master

    Added Turkish translate Merge pull request #150 from sa… (compare)

  • Jun 07 08:06
    lukasmatusiewicz closed #150
  • May 31 11:37
    sepp67 opened #105
  • May 12 09:55
    ziQ closed #153
  • May 12 09:43
    ziQ commented #153
  • May 12 08:40
    nilsbehlen commented #153
  • May 12 08:27
    ziQ opened #153
  • May 10 08:49
    nilsbehlen commented #152
  • May 10 08:21
    AdamVB opened #152
  • May 09 10:03
    lferrarotti74 commented #59
  • May 09 07:57

    pablo-knight on v3.2dev4

    (compare)

  • May 09 07:54

    pablo-knight on master

    Update requirements.txt (compare)

  • May 02 08:54

    nilsbehlen on v3.2

    (compare)

  • Apr 29 10:06

    nilsbehlen on master

    Update Changelog.md (compare)

  • Apr 26 10:47

    nilsbehlen on master

    update installer, fix offline … Update RegistryReader.cpp Update Configuration.cpp and 3 more (compare)

  • Apr 26 10:47
    nilsbehlen closed #115
Nickolas Wood
@ignitediris

So, I took a stab at augmenting the Kerberos resolver example branch. I currently have it working by combining that branch with the 2.17-1xenial version of the packages available on Ubuntu and changes contributed by gfa...@soundhound.com in this thread:
https://groups.google.com/forum/#!msg/privacyidea/zr2wepesUnU/kWXYHyPtPQAJ

I then took the liberty of extending the getResolverClassDescriptor for the Kerberos Resolver allowing the ability to specify the principal to use.

The magic sauce that makes all of this work is adding an env = KRB5_KTNAME=<keytab file> param to uwsgi. In this way, this app can verify creds directly against kerberos while using its own service principal that is specifiable. All while being run in tyrant mode with least privilege. This at the very least is a point for documentation.

Is this work useful? If so, where should it go?

It was maddening how close Gabriel was to a configurable, working solution. It would be a shame to let that progress slip away. Kerberos is obscure enough.
quynh-axiadids
@quynh-axiadids
@cornelinux, I have some question regarding the realm of an unassigned token. Does the realm play any role? I have a token imported to realm a, but user from realm b still can assign it to themselves. It is not a problem. But I just want to confirm the role of a token realm.
quynh-axiadids
@quynh-axiadids
oh I got it. I found in the documentation that the token realm is for administrators role definition.
sam-axiadids
@sam-axiadids
Hi @cornelinux quick question does PrivacyIdea support extending the time window for the very first authentication to allow and facilitate auto-resync for tokens that have been imported long after they were manufactured - Ive seen other products support that so I was wondering. Thanks
quoc-axiadids
@quoc-axiadids
@cornelinux, I have a question about the audit logs. The clearance_level field is normally "None" through all my testing. Is this a deprecated field?
Cornelius Kölbel
@cornelinux
@sam-axiadids interesting. It does not. Would you please file an issue as FR?
@sam-axiadids we provide autosync.
Cornelius Kölbel
@cornelinux
@quoc-axiadids this field is not used, yet. The idea is to allow different admins to see different important information.
@quynh-axiadids The idea with the tokenrealm is, that a realm admin should only be able to use tokens in his realm. But logically this should be true for a user in a realm. To me it sounds logical that a user in realmA should only be able to assign tokens in realmA. And not unassigned tokens from any other realm. So this might be a missing implementation.
Cornelius Kölbel
@cornelinux
@ignitediris Correct me if I am wrong. I see very rare use cases for a kerberos resolver. Why would one use a kerberos resolver instead of an LDAP resolver? Especially since setting up kerberos is much more complicated?
@sam-axiadids I think there are two ways to do this.
  1. We could allow an autosync for fresh imported tokens (e.g. TOTP tokens with counter == 0) (THis is not what you asked for, autosync requires the user to enter two otp values)
  2. We could do an "initial sync". Each token type would have to define, how the initial sync is done or checked, if this is initial. Both TOTP and HOTP probably have counter=0. THe token settings then would define the additional initial-sync-window.
sam-axiadids
@sam-axiadids
Thanks Cornelius we have to be careful with using counter == 0 since we deal with HOTP tokens sold with PSKCs where counter doest start at 0 (we need to improve PSKC import to support this at some point btw).
so we would probably have to add a first use date or flag
We will open a github enhancement request we possible
I have a series of patches for PSKC import to submit at some point - need more testing and some clean up before we can do so
Cornelius Kölbel
@cornelinux
This could be done for TOTP-tokens only. Could be a TOTP-token-setting or a token specific policy.
Cornelius Kölbel
@cornelinux
@sam-axiadids I added issue #599.
sam-axiadids
@sam-axiadids
Thanks!
sam-axiadids
@sam-axiadids
Cornelius Thanks for addressing the 2 enhancement requests yesterday! we are testing and will provide feedback - this is great.
balsctob
@balsctob
Hi Guys, I have currently installed privacyidea with simplesamlphp on an Ubuntu 16.04 system. As soon as I connect to simplesamlphp via SAML (and also some sites on the admin web ui) there are some error messages about missing files. When I checked the contents of /usr/share/simplesamlphp/modules/privacyidea/ and compared them with the github repository for the plugin, I saw that a lot of files are missing. After cloning the git repository and moving all the files to that directory, everything works fine.
I had the issue already a few weeks ago, also on an Ubuntu 16.04 system. So I guess, there is something wrong with the privacyidea-simplesamlphp package.
Nickolas Wood
@ignitediris

@cornelinux , I do not have notifications turned on. Apologies for the rather delayed response.
Kerberos use will be rather rare; no arguments. The difficulty rating for kerberos is a personal opinion, it isn't much harder then ldap once one understands how it works.

The reason the work I was talking about is useful (to me) is that it allows me to assign a kerberos principle to the otp service itself. So, when cred validation occurs, the service, using its principle, talks to kerberos. In this way, all the handshaking that occurs within a kerberos transaction succeeds and validation can proceed.

The kerberos resolver extends the ldap resolver. Cannot use one without the other in this case. It is not an either or scenario.

I have no problem keeping this to myself and my own installation. There have been a couple people now looking for such functionality and it took quite awhile tracking down the various attempts and extending them into this. Thought I would contribute back if you wanted it,

Cornelius Kölbel
@cornelinux
Hi @balsctob , can you please open an issue at https://github.com/privacyidea/simplesamlphp-module-privacyidea
@ignitediris If you are adding a pull request again, I'd be happy to look at it. Thanks a lot!
balsctob
@balsctob
@cornelinux sure, issue is opened.
Raoul Thill
@rthill
I have users with a SMS and TOTP token. How can I disable sending out SMS OTP tokens when using the /validate/check method?
From workflow point of view, I would like to first authenticate the user in the userstore, receive a transaction_id, fetch all types of user assigned tokens and only trigger an SMS when the user chooses SMS token. Then the second call to /validate/check would include transaction_id and OTP token as pass.
Cornelius Kölbel
@cornelinux
If the user passes the userstore password a.k.a. the token PIN, privacyIDEA triggers a challenge respsone token like the SMS token. You can only disable it, by changing the code, in whichever way.
You could however run a POST /auth request for the user. And then handle everything in your application like the user fetching his tokens... using GET /token. I.e. try to not only look at the /validate endpoint, but obviously other endpoints might help.
Raoul Thill
@rthill
Thanks Cornelius, this enforces my idea of implementation. I would make use of GET /token to fetch the tokens assigned to the user and POST /validate/triggerchallenge to generate a transaction_id for a given token. Then to validate a POST /validate/check including transaction_id and OTP.
Cornelius Kölbel
@cornelinux
You can do this. But I usually would try to avoid using /validate/triggerchallenge but rather let the user provide his otp pin / password.
Nickolas Wood
@ignitediris
PR opened @cornelinux . Now at least, the code is in a form that others can use instead of buried in a thread.
Cornelius Kölbel
@cornelinux
Great! I saw the PR. Thanks a lot. I have some kind backlog but will look at it as soon as possible.
Raoul Thill
@rthill
How can I search for a specific user using the searchexpr on GET /user? It does not work for me. Is there another way to search for users and see the configured attributes?
Raoul Thill
@rthill
Nevermind, I have to replace <searchexpr> by a valid attribute
Abhishek Choudhery
@Abhishek103
@cornelinux
Hi all
Actually I am trying to implement 2FA on my simple samlphp IDP and SP. Using privacyIDEA module. Now I wish to setup privacyIDEA otp server on window, but all ur documentation are Linux specific, I was wondering if it be installed on windows or not??
Cornelius Kölbel
@cornelinux
Rather not :-)
I personally will not support this.
Abhishek Choudhery
@Abhishek103
Ok .. cool
jralbert
@jralbert
I've read through the documentation, but still have a few questions around the policy side of privacyIDEA. In particular I'm curious about token priority: can I define a specific order of token challenge? Can I set a policy that demands a specific token or token priority order for a particular type of connection?
Alexsander Antunes
@alexsanderantunes
Hi, I read this http://www.databreachtoday.com/bank-account-hackers-used-ss7-to-intercept-security-codes-a-9893 . But a have a question. If a use TTS do read the OTP Token for user instead to send a SMS Token, I will mitigate this attack?
Raoul Thill
@rthill
I'm missing a refresh button after the lock screen asking for a password. If I use browser refresh I am logged-out immediately, but I think it would be useful if on the tokens list screen for example to be able to refresh that list without loading another page and switching back to the list
Cornelius Kölbel
@cornelinux
@jralbert I am sorry. Obviously gitter does not work out - at least for me. You can not define a challenge order. It is not necessary. If there are several tokens with the same PIN, challenges for all tokens are triggered. The application (or the user) can decide, which challenge to use. Please use https://community.privacyidea.org for further requests. I will close this gitter room.
@alexsanderantunes What is TTS? Please go to https://community.privacyidea.org and ask questions there in the future. Will close this gitter chat.
@rthill Right. Just open a feature request at github. And if you have some ideas on the implementation, paste them, too. please.
Hi all. I will close this gitter chat (I do not know how to do this, yet) because it did not proof usefull. So you are all welcome to come to https://community.privacyidea.org Thanks a lot
Thanks a lot
This message was deleted
Cornelius