Administrators from AD group

[psor...@gmail.com]

Hi,

how can I configure PrivacyIDEA so that some users from certain AD group have administrator rights?

[jmdeking]

I think ad integration for managing privacyidea is not possible. I have a few local accounts to which i assigned certain policy rights. Trying it with AD accounts for which i have multiple ldap resolvers didnt do anything.

[Cornelius Kölbel]

Hi jmdeking, 

thanks a lot for jumping in and you suggestion on this.

Hi psorobka,

You can do this using the SUPERUSER_REALM in pi.cfg.

I think it is well documented at http://privacyidea.readthedocs.io and there is even a video about this: https://www.youtube.com/watch?v=4CEHKtzyokw

Subscribe to the channel!

THanks 

Corneilus

[Jochen Hein]

psor...@gmail.com writes:

> how can I configure PrivacyIDEA so that some users from certain AD group
> have administrator rights?

I do run privacyidea against FreeIPA, but the idea should work for AD as
well (modulo attribute names).

I have two LDAP resolvers, one for all users and one for admins.
The only difference is the searchfilter:
(memberof=cn=admins,cn=groups,cn=accounts,dc=example,dc=org)

The admin resolver is used in the admin domain, so when I log in as
jochen@admin I have admin rights, but joc...@example.org is a plain
user.

Jochen

--
The only problem with troubleshooting is that the trouble shoots back.

[Kris Lou]

So that we can find the answers to this later (I haven't verified, but pretty sure this what you guys are talking about):

http://privacyidea.readthedocs.io/en/latest/configuration/realms.html#resolver-priority

http://privacyidea.readthedocs.io/en/latest/faq/admins.html

Kris Lou
kl...@themusiclink.net

--
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/83vasaqcqo.fsf%40jochen.org.

For more options, visit https://groups.google.com/d/optout.

[psor...@gmail.com]

How to (given you are AD user inside AD group users and admins)

1. Create a realm "users" with resolver which points to the AD "users" group (might contain admins as well), this might be a default realm

2. Create a realm "admins" with resolver which points to the AD "admins" group

3. Edit /etc/privacyidea/pi.cfg and set SUPERUSER_REALM = ['super', 'administrators','admins']

4. Restart httpd

5. Login as AD user- you will be a normal user

6. Login as AD user@admins - you will be an admin

Done.

You can also create a policy so that on login page you will have a combo box with selection of realms - create policy with webui scope 

and realm_dropbox checked - enter "users admins"

Voila.

Kris Lou
kl...@themusiclink.net

To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.

To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.

[jmdeking]

Thanks a lot i didnt knew this. Gonna try it.