Hello Sergey,
thanks a lot for your feedback.
This is your chance to help to improve the docs.
At which part where you expecting this information - so I can add it
there!
The difference is the following:
The admin-realm would be the realm of the administrator, for whom this
policy fits. The user-realm is the realm of users, the administrator is
allowed to manage.
Assume you have created a realm and defined this realm to be
administrators.
Then logging in as sergey@admin would give you the role=admin.
Assume you connect to the same LDAP with a realm "users", then logging
in as sergey@users would link to the same LDAP obejct but would give you
the role=user.
Am Sonntag, den 10.01.2016, 08:48 -0800 schrieb Sergey Kolosovski:
> Hello all
> What is a difference between Admin-realm and User-realm within the
> admin policy?
>
> Let's say I want to be able to log in as admin into PI using my LDAP
> username and "@admin" suffix appended. I'm creating
> 1) user ID resolver which filters only my username
> 2) realm "admin" and link in to this resolver
> 3)
> in "/etc/privacyidea/pi.cfg" comment
> #SUPERUSER_REALM = ['super'],
> add
> SUPERUSER_REALM = ['admin']
> 4) Create a scope admin policy and specify there "admin" as a value
> of Admin-realm.
Correct this far. Then your user in this realm would get the role=admin,
when logging in.
> There's a problem. In the Admin-realm list I still have only "super"
> realm(WHY?).
The pi.cfg is only read when restarting the Apache server.
> Then, I include actions, and need to specify a User-realm. Why if I
> have already been asked about Admin-realm?
as mentioned above: THe admin realm only defines, that this policy is
valid for YOUR admin. Assume there are other admins. This policy would
not be for them.
> And then I also need to specify resolver. Why again if I already
> specified User-realm which already linked to the user-resolver needed?
You do not need to specify the resolver. This is optional.
> Then the Admin field. What is this for? To include the PI-internal
> admin users to this policy only?
These are admin usernames. If you want to split this down to admin
accounts.
I hope this helps to shed some light.
And I would really appreciate a hint about the location for improving
the docs.
...if it is some other place than the top level policy documentation.
http://privacyidea.readthedocs.org/en/latest/policies/index.html
Kind regards
Cornelius
> Or it could be used somehow to filter users from the user-resolver
> which are able to log into this realm?
> Could someone assist, because I read the docs and didn't catch the
> sence
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
privacyidea...@googlegroups.com.
> To post to this group, send email to
priva...@googlegroups.com.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/privacyidea/29be2bed-8a67-434e-974f-24269fc93e81%40googlegroups.com.
> For more options, visit
https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel:
+49 561 3166797, Fax:
+49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel