BUG? passOnNoUser and passOnNoToken (privacyIDEA 2.11.2)
28 views
Skip to first unread message
simv...@gmail.com
May 3, 2016, 7:12:53 AM5/3/16
to privacyidea
Hello!
I'm using privacyIDEA 2.11.2.
Setting passOnNoUser and passOnNoToken this is the result:
Reply-Message = "ERR905: The user can not be found in any resolver in this realm!" if the user is not present....
or
Reply-Message = "privacyIDEA access granted" also if the user is present and has token assigned!
Is it a bug?
Could you help me?
Regards
---
Sim
I'm using privacyIDEA 2.11.2.
Setting passOnNoUser and passOnNoToken this is the result:
Reply-Message = "ERR905: The user can not be found in any resolver in this realm!" if the user is not present....
or
Reply-Message = "privacyIDEA access granted" also if the user is present and has token assigned!
Is it a bug?
Could you help me?
Regards
---
Sim
Cornelius Kölbel
May 3, 2016, 7:17:33 AM5/3/16
to priva...@googlegroups.com
Hi Sim,
can you please describe
- your settings,
- what you are doing and
- the effects you get in more detail?
I don't quite get your problem.
Thanks a lot
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/de8f2ff8-c02e-4de9-8415-5bfb171b18c2%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
can you please describe
- your settings,
- what you are doing and
- the effects you get in more detail?
I don't quite get your problem.
Thanks a lot
Cornelius
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/de8f2ff8-c02e-4de9-8415-5bfb171b18c2%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
simv...@gmail.com
May 3, 2016, 7:46:40 AM5/3/16
to privacyidea
Hello Cornelius,
thank you for the quick reply! :-)
The settings are real simple.
REALMS:
business -> business-mysql [] (sqlresolver)
USERS:
business-mysql -> sqlresolver (local DB/TABLE)
POLICIES:
business_authentication -> authentication { "passOnNoUser": true, "passOnNoToken": true } [ "business" ] [] [ "business-mysql" ] []
I've an external application (with local accounts user/pass)
For login are requested "user, password and otp (optional)"
Otp will be checked outside that system (privacyIDEA in this case) with POST/json query (user/token).
I would not want to create all users in privacyIDEA, and i need a "true" reply for no-user (into sqlresolver) and no-token (created users but without OTP)
Enabling "passOnNoUser: true" and "passOnNoToken: true" privacyIDEA reply:
access granted if the user is present (ok!),
ERR905 if the local user is not present (why?),
access granted if the user is present with token but bad token (why?)
Thanks you again!
Sim
thank you for the quick reply! :-)
The settings are real simple.
REALMS:
business -> business-mysql [] (sqlresolver)
USERS:
business-mysql -> sqlresolver (local DB/TABLE)
POLICIES:
business_authentication -> authentication { "passOnNoUser": true, "passOnNoToken": true } [ "business" ] [] [ "business-mysql" ] []
I've an external application (with local accounts user/pass)
For login are requested "user, password and otp (optional)"
Otp will be checked outside that system (privacyIDEA in this case) with POST/json query (user/token).
I would not want to create all users in privacyIDEA, and i need a "true" reply for no-user (into sqlresolver) and no-token (created users but without OTP)
Enabling "passOnNoUser: true" and "passOnNoToken: true" privacyIDEA reply:
access granted if the user is present (ok!),
ERR905 if the local user is not present (why?),
access granted if the user is present with token but bad token (why?)
Thanks you again!
Sim
Cornelius Kölbel
May 3, 2016, 8:10:41 AM5/3/16
to priva...@googlegroups.com
Hi Sim,
I will create a test case for this and come back to you.
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/d68ea812-94cb-4b66-8205-30c7ea0abeb2%40googlegroups.com.
I will create a test case for this and come back to you.
Kind regards
Cornelius
simv...@gmail.com
May 3, 2016, 8:19:06 AM5/3/16
to privacyidea
Thank you Cornelius! :-)
Sim
Sim
Cornelius Kölbel
May 4, 2016, 8:52:41 AM5/4/16
to priva...@googlegroups.com
Hello Sim,
congratulations and thanks a lot!
You found a severe bug, for wich we just released the advisory and
fix/update.
Please read here:
https://www.privacyidea.org/bug-passonnouser-policy-allows-arbitrary-authentication/
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/b6034247-ba7d-4e6d-b5e7-a899967d1bc0%40googlegroups.com.
congratulations and thanks a lot!
You found a severe bug, for wich we just released the advisory and
fix/update.
Please read here:
https://www.privacyidea.org/bug-passonnouser-policy-allows-arbitrary-authentication/
Kind regards
Cornelius
simv...@gmail.com
May 5, 2016, 3:10:31 PM5/5/16
to privacyidea
Hello Cornelius,
excuse me for delay but I was out of office.
Thank you very much to your for the quick support and fix!
I've performed the testing now and it works as expected.
Best Regards
Sim
excuse me for delay but I was out of office.
Thank you very much to your for the quick support and fix!
I've performed the testing now and it works as expected.
Best Regards
Sim
Cornelius Kölbel
May 5, 2016, 4:58:54 PM5/5/16
to priva...@googlegroups.com
Hi Sim,
thanks a lot for the feedback.
Kind regards
Cornelius
Reply all
Reply to author
Forward
0 new messages