Documentation UserIdResolvers missing password attribute

[Nicke]

I set up a SQL Resolver with the column names found in the attribute mapping list. I got problems in some places and it stopped when I added password column also to my MySQL database table and updated my SQL mapping. I think password attribute is missing in the documentation?

[Cornelius Kölbel]

Hi Nicke,

you are right. "password" is not mentioned.
THere is no standard way how passwords are stored and checked in an SQL
database. privacyIDEA supports a bunch of them.
https://github.com/privacyidea/privacyidea/blob/master/privacyidea/lib/resolvers/SQLIdResolver.py#L355
(Wordpress style, OTRS style, SHA and several secure SHA ways)

Stopped working? Check your configuration and the privacyIDEA debug log.

kind regards
COrnelius

> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/28251e34-5a8e-4f22-bc16-291f99142437%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[Cornelius Kölbel]

Hi Nicke,

I added a short documentation about the passwords.

"""
https://github.com/privacyidea/privacyidea/blob/master/doc/configuration/useridresolvers.rst

Note

There is no standard way to store passwords in an SQL database. There
are several different ways to do this. privacyIDEA supports the most
common ways like Wordpress hashes starting with $P or $S. Secure hashes
starting with {SHA} or salted secure hashes starting with {SSHA},
{SSHA256} or {SSHA512}. Password hashes of length 64 are interpreted as
OTRS sha256 hashes.
"""

This will be on readthedocs shortly.

Thanks for your input.

Kind regards
Cornelius

[Nicke]

Looks good. 

Am thinking this way, I starting from scratch by creating a users table and want to implement something that privacyidea like. Lets say this table will not be managed by privacyidea. What is the recommended way to store passwords? That is not described in your documentation that maybe should be there.

Another thing,

When using the "add user" feature within webgui, there also exist a "Description" field. That is not described in the documentation.

[Cornelius Kölbel]

Hey Nicke,

let me guess: You are the software tester and QA manager in your
company? ;-)

Yeah, there might be no documentation for a field description. But maybe
this is obvious. Do you know these software products where you open the
help screen and it tells you:

"Description - here you may enter a description for the user".

Many products work this way. And I always disliked it.
Or take the checkbox

"[x] this resolver is editiable"

The documentation might be: "If you click this checkbox, you mark the
resolver as editable."

This is just waste. The documentation needs to explain to you that an
editable resolver means, that privacyIDEA can write into the resolver to
modify user data. So that even users can be managed from within
privacyIDEA. That this is only implemented for SQL at the moment, since
modifying SQL is more straightforward than modifying LDAP or parsing
plain text files...

(of course also privacyIDEA documentation needs improvement. All
documentation does)

Don't get me wrong. I appreciate all feedback and input. Feel free to
either point out other flaws or even do a pull request. Also on
documentation if you think it is worth adding additional chapters.

As far as the easy editable user resolver or recommended password field
is concerned, there is a shell script

privacyidea-create-userdb

which creates an SQLite user DB at /etc/privacyidea/users.sqlite and in
addition created the resolver and realm accordingly.

It instruments the commands

pi-manage resolver create

and

pi-manage realm create

Take a look at it to get an idea, how you could easily create your user
table in any other database.

Kind regards
Cornelius

> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/38abd3da-054b-4c37-9483-a83c12ec2861%40googlegroups.com.

[Nicke]

Aa, great feedback.

I take a look at privacyidea-create-userdb.