User Token Visibility
22 views
Skip to first unread message
Kris Lou
Apr 28, 2017, 3:01:29 PM4/28/17
to privacyidea
So, I just did the following:
* Created a new Resolver
* Add this to my existing default Realm, with a _higher_ priority than the existing LdapResolver
As a result, it appears that all of the tokens assigned to a user are no longer visible to that user, unless they (tokens) are also reassigned to the new Resolver.
Is this correct behavior? As the user has no control over the Resolver, will I have to re-assign all of my existing tokens?
Thanks,
-Kris
Cornelius Kölbel
May 1, 2017, 3:36:02 AM5/1/17
to privacyidea
Hi Kris,
a lower number means a higher priority.
Just like when you are #1 in real life ;-)
Kind regards
Cornelius
Kris Lou
May 1, 2017, 12:41:13 PM5/1/17
to privacyidea
I had seen that -- I just wasn't aware that tokens were also tied to specific resolvers.
In my case, I switched from querying a specific DC to querying the domain, and allowing DNS to handle that portion. I don't have a lot of users, so it wasn't a huge deal to make the switch.
But if a Resolver target would need to be replaced in a much larger organization, that could be a LOT of work to troubleshoot. On the other hand, I suppose I could only change the Server URI and not create a new Resolver.
--
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/e9b826f0-6bb1-4486-a48d-2f9660961bba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Cornelius Kölbel
May 3, 2017, 6:49:24 PM5/3/17
to privacyidea
You would reconfigure the resolver - right. No big deal.
Am Montag, 1. Mai 2017 18:41:13 UTC+2 schrieb Kris Lou:
I had seen that -- I just wasn't aware that tokens were also tied to specific resolvers.In my case, I switched from querying a specific DC to querying the domain, and allowing DNS to handle that portion. I don't have a lot of users, so it wasn't a huge deal to make the switch.But if a Resolver target would need to be replaced in a much larger organization, that could be a LOT of work to troubleshoot. On the other hand, I suppose I could only change the Server URI and not create a new Resolver.
Reply all
Reply to author
Forward
0 new messages