privacyIDEA Documentation Release 1.4
Cornelius Kölbel
October 06, 2014
CONTENTS
1 Overview 3
2 Installation 5 2.1 Python package index...... 5 2.2 Debian packages...... 5
3 The ini file 9 3.1 Common config...... 9 3.2 Audit...... 9 3.3 Other paramters...... 10 3.4 Database connection...... 11 3.5 Logfiles...... 11
4 Login to the Web UI 13 4.1 Login for normal users...... 13 4.2 Login for administrators...... 13
5 Configuration 15 5.1 UserIdResolvers...... 15 5.2 Realms...... 19 5.3 System config...... 20 5.4 Token configuration...... 22 5.5 privacyIDEA setup tool...... 24
6 Tokenview 27 6.1 Functions for one token...... 27 6.2 Functions for multiple tokens...... 30 6.3 Columns...... 31
7 Userview 33 7.1 Enroll tokens...... 33 7.2 Assign tokens...... 33
8 Policies 35 8.1 Admin policies...... 35 8.2 System policies...... 39 8.3 Selfservice policies...... 40 8.4 Enrollment policies...... 44 8.5 Authentication policies...... 46 8.6 Authorization policies...... 48 8.7 Audit policies...... 49
i 8.8 Machine policies...... 49 8.9 OCRA policies...... 50 8.10 Gettoken policies...... 51
9 Client machines 55 9.1 SSH...... 55 9.2 LUKS...... 56
10 Audit 57 10.1 Cleaning up entries...... 57
11 Tools 59 11.1 Get Serial by OTP value...... 59 11.2 Copy token PIN...... 59 11.3 Check Policy...... 59 11.4 Export token information...... 60 11.5 Export audit information...... 60
12 Import 61 12.1 SafeNet XML...... 61 12.2 OATH CSV...... 61 12.3 Yubikey CSV...... 62
13 The code documentaton 63 13.1 UserIdResolvers...... 63 13.2 Audit log...... 67 13.3 Controllers...... 68 13.4 library functions...... 95
14 Indices and tables 101
Python Module Index 103
Index 105
ii privacyIDEA Documentation, Release 1.4
The privacyIDEA documentation is work in progress. If you are missing any information or descriptions file an issue at github (which would be the preferred way), drop a note to info(@)privacyidea.org or go to the Google group. This will help us a lot to improve documentation to your needs. Thanks a lot!
CONTENTS 1 privacyIDEA Documentation, Release 1.4
2 CONTENTS CHAPTER ONE
OVERVIEW
privacyIDEA is a system that is used to manage devices for two factor authentication. In the beginning there were OTP tokens, but other means to authenticate like SSH keys are added. Other concepts like handling of machines or enrolling certificates are coming up, you may monitor this development on Github. privacyIDEA is a web application written in Python based on the pylons framework. You can use any webserver with a wsgi interface to run privacyIDEA. E.g. this can be Apache, Nginx or the python paster. A device or item used to authenticate is still called a “token”. All token information in stored in an SQL database, while you may choose, which database you want to use. privacyIDEA uses SQLAlchemy to map the database to internal objects. Thus you may choose to run privacyIDEA with SQLite, MySQL, PostgreSQL, Oracle, DB2 or other database. privacyIDEA provides a Web API, which you can investigate at http://api.privacyidea.org/. Administrators can use a Web UI or a command line client to manage authentication devices. Users can login to a self service portal. Authentication is performed via the API or certain plugins for FreeRADIUS, simpleSAMLphp, Wordpress, Contao, Dokuwiki... to either provide default protocols like RADIUS or SAML or to integrate into applications directly. Due to this flexibility there are also many different ways to install and setup privacyIDEA. We will take a look at certain comman ways to setup privacyIDEA in the section Installation but there are still many others.
3 privacyIDEA Documentation, Release 1.4
4 Chapter 1. Overview CHAPTER TWO
INSTALLATION
2.1 Python package index
You can install privacyidea on usually any linux distribution in a pyhton virtual environment like this: virtualenv /opt/privacyidea cd /opt/privacyidea source bin/activate
Now you are within the python virtual environment. Within the environment you can now run: pip install privacyidea pip install privacyideaadm
Depending on the database you want to use, you may have to install additional packages. TODO: Configuration and setup with webserver
2.2 Debian packages
There are ready made debian packages for Ubuntu 14.04 LTS. These are available in a public ppa repository, so that the installation will automatically resolve all dependencies. Install it like this: add-apt-repository ppa:privacyidea/privacyidea apt-get update apt-get install privacyidea privacyideaadm
Optionally you can also install necessary configuration files to run privacyIDEA within the Nginx Webserver: apt-get install privacyidea-nginx
2.2.1 Appliance
There is also the possibility to install privacyIDEA on an Ubuntu 14.04 system in an appliance like way: add-apt-repository ppa:privacyidea/privacyidea apt-get update apt-get install privacyidea-appliance privacyidea-radius which will setup a system containing everything. It also provides a tool to easily configure privacyIDEA, add admin- istrators and manage your RADIUS clients.
5 privacyIDEA Documentation, Release 1.4
To take closer look at this tool read privacyIDEA setup tool.
2.2.2 Application packages
We also provide debian packages for certain applications.
FreeRADIUS privacyIDEA has a perl module to “translate” RADIUS requests to requests to the privacyIDEA server. This module plugs into FreeRADIUS. The FreeRADIUS does not have to run on the same machine like privacyIDEA. To install this module: apt-get install privacyidea-radius
If you are running your FreeRADIUS server on another distribution, you may download the module at 1. Then you need configure your FreeRADIUS site and the perl module.
Note: The perl module is not thread safe, so you need to start FreeRADIUS with the -t switch.
SimpleSAMLphp
Starting with 1.4 privacyIDEA also supports SAML via a plugin for simpleSAMLphp 2. The simpleSAMLphp service does not need to run on the same machine like the privacyIDEA server. To install it on a Ubuntu 14.04 system please run: apt-get install privacyidea-simplesamlphp
Follow the simpleSAMLphp instructions to configure your authsources.php. A usual configuration will look like this: ’example-privacyidea’ => array( ’privacyidea:privacyidea’,
/* * The name of the privacyidea server and the protocol * A port can be added by a colon * Required. */ ’privacyideaserver’ => ’https://your.server.com’,
/* * Check if the hostname matches the name in the certificate * Optional. */ ’sslverifyhost’ => False,
/* * Check if the certificate is valid, signed by a trusted CA * Optional. */ ’sslverifypeer’ => False,
1 https://github.com/privacyidea/privacyidea/tree/master/authmodules/FreeRADIUS 2 https://github.com/privacyidea/privacyidea/tree/master/authmodules/simpleSAMLphp
6 Chapter 2. Installation privacyIDEA Documentation, Release 1.4
/* * The realm where the user is located in. * Optional. */ ’realm’ => ’’,
/* * This is the translation from privacyIDEA attribute names to * SAML attribute names. */ ’attributemap’ => array(’username’ => ’samlLoginName’, ’surname’ => ’surName’, ’givenname’ => ’givenName’, ’email’ => ’emailAddress’, ’phone’ => ’telePhone’, ’mobile’ => ’mobilePhone’, ), ),
2.2. Debian packages 7 privacyIDEA Documentation, Release 1.4
8 Chapter 2. Installation CHAPTER THREE
THE INI FILE
privacyIDEA is a pylons application that uses an ini-file. The default location of the ini-file is /etc/privacyidea/privacyidea.ini, but depending on your installation it can reside anywhere else.
3.1 Common config
The ini file looks like this: [DEFAULT] debug = false profile = false email_to = [email protected] smtp_server = localhost error_email_from = paste@localhost
You can use the debug parameter to output debug messages, if you are running privacyIDEA with the paster. If you are running privacyIDEA in Apache WSGI, you need to set this to false. The profile parameter writes profiling output, so that you can measure the performance of the code. The parameters email_to, smtp_server and error_email_from can be used to send email in cases of severe error.
3.2 Audit
There are audit specific parameter: privacyideaAudit.type = privacyidea.lib.auditmodules.sqlaudit privacyideaAudit.key.private = %(here)s/private.pem privacyideaAudit.key.public = %(here)s/public.pem
privacyideaAudit.sql.url = mysql://privacyidea:privacyidea@localhost/privacyidea privacyideaAudit.sql.highwatermark = 10000 privacyideaAudit.sql.lowwatermark = 5000
privacyIDEA can write an Audit log. With the paramter privacyideaAudit.type you can specify which python module should be used to write the log. The audit trail is digitally signed. So you need to specify a private and public RSA key privacyideaAudit.key.private and privacyideaAudit.key.public.
9 privacyIDEA Documentation, Release 1.4
You can decide, which audit module should be used for the audit log to be written. privacyIDEA comes with an SQLAudit module privacyidea.lib.auditmodules.sqlaudit that writes the audit log to an SQL database table. You could also create your own audit module. Take a look at Audit log.
3.2.1 Audit log rotation
The SQL audit module can do audit log rotation. To optimize performace log rotation is not performed within the server context but you can call the module to do it: python /usr/lib/python2.7/dist-packages/privacyidea/lib/auditmodules/sqlaudit.py
You can need to add the parameter --file and you can add the parameters --high and -low. If these parameters are not specified, the values hightwatermark and the lowwatermark are read from the ini-file. (also see Audit) If the audit table reaches the number of entries specified in highwatermark old entries will be deleted, so that only lowwatermark entries remain. You should set up a cron job to rotate the audit log.
3.3 Other paramters
Finally there are several other parameters: # If true, OTP values can be retrieved via the getotp controller privacyideaGetotp.active = True privacyideaSecretFile = %(here)s/dummy-encKey
# This file contains the token administrators. # It can be created like this: # % tools/privacyidea-create-pwidresolver-user -u admin -p test -i 1000 >> config/admin-users privacyideaSuperuserFile = %(here)s/admin-users # list of realms, that are admins privacyideaSuperuserRealms = superuser, 2ndsuperusers privacyIDEASessionTimeout = 1200 # This is the server, where this system is running. # This is need to issue a request during login to the # management with an OTP token. privacyideaURL = http://localhost:5001 # # This determines if the SSL certificate is checked during the login to # privacyIDEA. Set to True, if you have a self signed certificate. privacyideaURL.disable_ssl = False privacyidea.useridresolver = privacyidea.lib.resolvers.PasswdIdResolver.IdResolver
# These are the settings for the RADIUS Token # The location of the RADIUS dictionary file radius.dictfile= %(here)s/dictionary # The NAS Identifier of your privacyIDEA server, # that is sent to the RADIUS server radius.nas_identifier = privacyIDEA privacyideaGetotp.active can turn on the possibility to retrieve OTP values from the server. Usually it is not possible to ask the server for future OTP values of a token. Using this parameter you can allow this, thus creating printed OTP lists.
10 Chapter 3. The ini file privacyIDEA Documentation, Release 1.4
Finally there are some settings for the use of RADIUS tokens radius.dictfile and radius.nas_identifier which you usually do not need to change.
3.3.1 Administrators
privacyIDEA authenticates the administrators. The simple default way is to search the admin in a file defined by privacyideaSuperuserFile. All users in this file can login with
3.4 Database connection
You need to specify what database you want to use: [app:main] #sqlalchemy.url = mysql://privacyidea:privacyidea@localhost/privacyidea sqlalchemy.url = sqlite:///%(here)s/token.sqlite
Take a look at SQLAlchemy, how the connect string needs to look like.
3.5 Logfiles
privacyIDEA uses repoze.who to do the authentication to the WebUI. You can specify, where the logfile should be located: who.log_level = debug who.log_file = %(here)s/privacyidea.log
If you are running in Apache WSGI you should not use the %(here)s statement but you should specify a logfile like /var/log/privacyidea/who.log. privacyIDEA uses the python logging framework. You can specify which module should log which level and where all information should be logged - being it a file, smtp or syslog: # # Note: You should change the Logging Level from DEGUB to WARN # # Logging configuration [loggers] keys = root, privacyidea, sqlalchemy, controllers
[logger_root] level = WARNING handlers = file
[logger_privacyidea] level = INFO handlers = file qualname = privacyidea
3.4. Database connection 11 privacyIDEA Documentation, Release 1.4
[logger_controllers] level = DEBUG handlers = file qualname = privacyidea.controllers.account
[logger_sqlalchemy] level = ERROR handlers = file qualname = sqlalchemy.engine # "level = INFO" logs SQL queries. # "level = DEBUG" logs SQL queries and results. # "level = WARN" logs neither. (Recommended for production systems.)
[handlers] keys = file
[handler_file] class = handlers.RotatingFileHandler args = (’/var/log/privacyidea/privacyidea.log’,’a’, 10000000, 4) level = INFO formatter = generic
[formatters] keys = generic
[formatter_generic] class = privacyidea.lib.log.SecureFormatter format = %(asctime)s %(levelname)-5.5s {%(thread)d} [%(name)s][%(funcName)s #%(lineno)d] %(message)s datefmt = %Y/%m/%d - %H:%M:%S
Please see python logging for more details.
Note: privacyIDEA provides its own SecureFormatter which removes nonprintable characters, that cause prob- lems.
12 Chapter 3. The ini file CHAPTER FOUR
LOGIN TO THE WEB UI
privacyIDEA has one login form for users to login and for administrators to login. The login screen can contain a dropdown box with the list of existing realms. The dropdown box can be configured in the System config dialog on the GUI settings tab. You should enter your username and choose the right realm. If the dropdown box is not displayed, then you need to append the realm to the username like username@realm.
4.1 Login for normal users
Normal users authenticate at the login form to access the self service portal. By default users need to authenticate with the password from their user source. E.g. if the users are located in an LDAP or Active Directory the user needs to authenticate with his LDAP/AD password.
Note: The administrator may change this behaviour by creating an according policy, which then requires the user to authenticate against privacyIDEA itself. I.e. this way the user needs to authenticate with a second factor/token to access the self service portal. (see the policy section auth)
4.2 Login for administrators
Administrators can authenticate at this login form to access the management UI and also access the self service portal, if the account they login with is also contained in a realm. By default administrators are defined in a file, that is configured the ini-file. (see _inifile_superusers). Administrators defined in this file, need to login with the “virtual” realm admin. E.g. the administrator “administrator” defined in this file needs to login as administrator@admin with the password stored in this file.
Note: You can configure privacyIDEA to authenticate administrators against privacyIDEA itself, so that administra- tors need to login with a second factor. See Administrators how to do this.
13 privacyIDEA Documentation, Release 1.4
14 Chapter 4. Login to the Web UI CHAPTER FIVE
CONFIGURATION
The configuration menu can be used to define useridresolvers and realms, set the system config and the token config. It also contains a shortcut to the policy tab (see Policies).
5.1 UserIdResolvers
Each organisation or compancy usually has its users managed at a central location. This is why privacyIDEA does not provide its own user management but rather connects to existing user stores. UserIdResolvers are connectors to those user stores, the locations, where the users are managed. Nowadays this can be LDAP directories or especially Active Directory, some times FreeIPA or the Redhat 389 service. But classically users are also located in files like /etc/passwd on standalone unix systems. Web services often use SQL databases as user store. Today with many more online cloud services SCIM is also an uprising protocol to access userstores. privacyIDEA already comes with UserIdResolvers to talk to all these user stores: • Flatfile resolver, • LDAP resolver, • SQL resolver, • SCIM resolver.
Note: New resolvers can be added easily. See the module section for this (UserIdResolvers).
You can create as many UserIdResolvers as you wish and edit existing resolvers. When you have added all configura- tion data, most UIs of the UserIdResolvers have a butten “Test resolver”, so that you can test your configuration before saving it.
Note: Using the policy otppin=1 users can authenticate with the password from their user store, being the LDAP password, SQL password or password from flat file.
5.1.1 Flatfile resolver
Flatfile resolvers read files like /etc/passwd.
Note: The file /etc/passwd does not contain the unix password. Thus, if you create a flatfile resolver from this file the functionality with otppin=1 is not available. You can create a flatfile with passwords using the tool privacyidea-create-pwidresolver-user.
15 privacyIDEA Documentation, Release 1.4
Create a flat file like this: privacyidea-create-pwidresolver-user -u user2 -i 1002 >> /your/flat/file
5.1.2 LDAP resolver
The LDAP resolver can be used to access any kind of LDAP service like OpenLDAP, Active Directory, FreeIPA, Penrose, Novell eDirectory. In case of Active Directory connections you might need to check the box No anonymous referral chasing. The underlying LDAP library is only able to do anonymous referral chasing. Active Directory will produce an error in this case. (See http://blogs.technet.com/b/ad/archive/2009/07/06/referral-chasing.aspx) The LoginName attribute is the attribute that hold the loginname. It can be changed to your needs. The searchfilter and the userfilter are used for forward and backward search the object in LDAP. The searchfilter is used to list all possible users, that can be used in this resolver. The userfilter is used to find the LDAP object for a given loginname. This is why the userfilter contains the python string replacement parameter %s, which will be filled with the given loginname to find the LDAP object. The attribute mapping maps LDAP object attributes to user attributes in privacyIDEA. privacyIDEA knows the following attributes: • username, • phone, • mobile, • email, • surname, • givenname. The UID Type is the unique identifier for the LDAP object. If it is left blank, the distinguished name will be used. In case of OpenLDAP this can be entryUUID and in case of Active Directory objectGUID.
5.1.3 SQL resolver
The SQL resolver can be used to retrieve users from any kind of SQL database like MySQL, PostgreSQL, Oracle, DB2 or sqlite. In the upper frame you need to configure the SQL connection. The SQL resolver uses SQLAlchemy internally. In the field Driver you need to set a driver name as defined by the SQLAlchemy dialects like “mysql” or “postgres”. In the SQL attributes frame you can specify how the users are identified. The Database table contains the users.
Note: At the moment only one table is supported, i.e. if some of the user data like email address or telephone number is located in a second table, those data can not be retrieved.
The Limit is the SQL limit for a userlist request. This can be important if you have several thousand user entries in the table.
16 Chapter 5. Configuration privacyIDEA Documentation, Release 1.4
Figure 5.1: LDAP resolver configuration
5.1. UserIdResolvers 17 privacyIDEA Documentation, Release 1.4
Figure 5.2: SQL resolver configuration
18 Chapter 5. Configuration privacyIDEA Documentation, Release 1.4
The Attribute mapping defines which table column should be mapped to which privayIDEA attribute. The known attributes are: • userid, • username, • phone, • mobile, • email, • givenname, • surname. You can add an additional Where statement if you do not want to use all users from the table.
Note: The Additional connaction parameters refer to the SQLAlchemy connection but are not used at the moment.
5.1.4 SCIM resolver
SCIM is a “System for Cross-domain Identity Management”. SCIM is a REST-based protocol that can be used to ease identity management in the cloud. The SCIM resolver is tested in basic functions with OSIAM, the “Open Source Idenitty & Access Management”. To connect to a SCIM service you need to provide a URL to an authentication server and a URL to the resource server. The authentication server is used to authenticate the privacyIDEA server. The authentication is based on a client name and the Secret for this client. Userinformation is then retrieved from the resource server. The available attributes for the Attribute mapping are: • username, • givenname, • surname, • phone, • mobile, • email.
5.2 Realms
Users need to be in realms to have tokens assigned. A user, who is not member of a realm can not have a token assigned and can not authenticate. You can combine several different UserIdResolvers (see UserIdResolvers) into a realm. The system knows one default realm. Users within this default realm can authenticate with their username. Users in realms, that are not the default realm, need to be additionally identified. Therefor the users need to authenticate with their username and the realm like this:
5.2. Realms 19 privacyIDEA Documentation, Release 1.4
user@realm
5.2.1 List of realms
The realms dialog gives you a list of the already defined realms. It shows the name of the realms, whether it is the default realm and the names of the resolvers, that are combined to this realm. You can delete or edit an existing realm or create a new realm.
5.2.2 Edit realm
Each realm has to have a unique name. The name of the realm is case insensitive. If you create a new realm with the same name like an existing realm, the existing realm gets overwritten. The Edit Realm dialog gives you list of the available resolvers. You can click on the resolvers to mark it to be added to this realm. Holding the Ctrl-key while clicking lets you select multiple resolvers.
5.2.3 Autocreate realm
If you have a fresh installation, no resolver and no realm is defined. To get you up and running faster, the system will ask you, if it should create the first realm for you. If you answer “yes”, it will create a resolver named “deflocal” that contains all users from /etc/passwd and a realm named “defrealm” with this very resolver. Thus you can immediately start assigning and enrolling tokens. If you check “Do not ask again” this will be stored in a cookie in your browser.
Note: The realm “defrealm” will be the default realm. So if you create a new realm manually and want this new realm to be the default realm, you need to set this new realm to be default manually.
Note: You can also create this local defrealm via the menu at “Tools” -> “Create default realm with local users”.
5.3 System config
The system configuration has three tabs: Settings, token default settings and GUI settings.
20 Chapter 5. Configuration privacyIDEA Documentation, Release 1.4
5.3.1 Settings splitAtSign defines if the username like user@company given during authentication should be split into the loginname user and the realm name company. In most cases this is the wanted behavious. But given your users login with email addresses like [email protected] and [email protected] you probably do not want to split. Return SAML attributes defines if during an SAML authentication request additional SAML attributes should be returned. Usuall an authentication response only returns true or false. If FailCounterIncOnFalsePin is set the failcounter of all tokens of a user will be increased. When given a false PIN the system can not identify the token the user wants to login with. So it either increases the failcounter of all tokens of this user or none. PrependPin defines if the OTP PIN should be given in front (“pin123456”) or in the back (“12345pin”) of the OTP value. Auto resync defines if the system should try to resync a token if a user provides a wrong OTP value. If checked, the system remembers the OTP value and if during auto resync timeout the user tries to authenticate again with the next, successive OTP value, the system tries to resync this token with the two given OTP values. Pass on user not found let the system return a successful authentication response if the authenticating user does not exist in the system.
Warning: Use with care and only if you know what you are doing!
Pass on user no token let the system return a successful authentication response if the authenticating user exists in the system but has no token assigned.
Warning: Use with care and only if you know what you are doing! Since the user could remove all his tokens in selfservice and then have free rides forever.
Override Authentication client is important with client specific policies (see Policies) and RADIUS servers. In case of RADIUS the authenticating client for the privacyIDEA system will always be the RADIUS serve, which issues the authentication request. But you can allow the RADIUS server IP to send another client information (in this case the RADIUS client) so that the policy is evaluated for the RADIUS client. This field takes a comma seperated list of IP addresses. maximum concurrent OCRA challenges defines how many OCRA requests for a single OCRA token are allowed to be active simultaniously. OCRA challenge timeout defines how many seconds an OCRA challenge is kept active. The response must be sent within this timeout.
5.3.2 Token default settings
Misc settings
DefaultResetFailCount will reset the failcounter of a token if this token was used for a successful authentica- tion. If not checked, the failcounter will not be resetted and must be resetted manually.
Note: The following settings are token specific value which are set during enrollment. If you want to change this value of a token lateron, you need to change this at the tokeninfo dialog.
5.3. System config 21 privacyIDEA Documentation, Release 1.4
DefaultMaxFailCount is the maximum failcounter a token way get. If the failcounter exceeds this number the token can not be used unless the failcounter is resetted.
Note: In fact the failcounter will only increas till this maxfailcount. Even if more failed authentication request occur, the failcounter will not increase anymore.
DefaultSyncWindow is the window how many OTP values will be caluculated during resync of the token. DefaultOtpLen is the length of the OTP value. If no OTP lenght is specified during enrollment, this value will be used. DefaultCountWindow defines how many OTP values will be calculated during an authentication request. DefaultChallengeValidityTime is the timeout for a challenge response authentication.
OCRA settings
default OCRA suite is the OCRA suite that is set for an OCRA token during enrollment if no OCRA suite is specified. default QR suite is the OCRA suite that is set for a QR token during enrollment if no OCRA suite is specified.
5.3.3 GUI settings
The login window of the WebUI may display a dropdown box with all realms. You might hide this dropdown box, if you do not want to tell the world which realms are defined on your system. If you check display realm select box the list of all realms including the special realm admin for the administrators from the superuser file will be displayed in the login form.
5.4 Token configuration
Each token type can provide its own configuration dialog.
5.4.1 SMS OTP Token
The SMS OTP token creates a OTP value and sends this OTP value to the mobile phone of the user. The SMS can be triggered by an API call or by authenticating with only the OTP PIN: In the first step the user will enter his OTP PIN an the sending of the SMS is triggered. The user is denied the access. In the second step the user authenticates with the OTP PIN and the OTP value he received via SMS. The user is granted access. A python SMS provider module defines how the SMS is sent. This can be done using an HTTP SMS Gateway. Most services like Clickatel or sendsms.de provide such a simple HTTP gateway. Another possibility is to send SMS via sipgate, which provides an XMLRPC API. The third possibility is to send the SMS via an SMTP gateway. The proovider receives a specially designed email and sends the SMS accordingly. The last possibility to send SMS is to use an attached GSM modem. In the field SMS provider you can enter the SMS provider module, you wish to use. In the empty field hit the arrow-down key and you will get a list of the ready made modules. In the SMS configuration text area you can enter the configuration, which contents is very much dependant on the selected provider module.
22 Chapter 5. Configuration privacyIDEA Documentation, Release 1.4
The HTTP and the Sipgate module provide a preset-button, which give you an idea of the configuration.
HTTP provider
The HTTP provider can be used for any SMS gateway that provides a simple HTTP POST or GET request. The following parameters can be used: URL This is the URL for the gateway. HTTP_Method Can be GET or POST. USERNAME and PASSWORD These are the username and the password if the HTTP request requires basic authentication. SMS_PHONENUMBER_KEY This is the name of the HTTP parameter that holds the mobile phone number of the recipient. SMS_TEXT_KEY This is the name of the HTTP parameter that holds the SMS text. RETURN_SUCCESS You can either use RETURN_SUCCESS or RETURN_FAIL. If the text of RETURN_SUCCESS is found in the HTTP response of the gateway privacyIDEA assumes that the SMS was sent successfully. RETURN_FAIL If the text of RETURN_FAIL is found in the HTTP response of the gateway privacyIDEA assumes that the SMS could not be sent and an error occurred. PROXY You can specify a proxy to connect to the HTTP gateway. PARAMETER This can contain a dictionary of arbitrary fixed additional parameters. Usually this would also contain an ID or a password to identify you as a sender.
Example:
In case of the Clicaktell provider the configuration will look like this: {"URL":"http://api.clickatell.com/http/sendmsg", "PARAMETER":{ "user":"YOU", "password":"YOUR PASSWORD", "api_id":"YOUR API ID" }, "SMS_TEXT_KEY":"text", "SMS_PHONENUMBER_KEY":"to", "HTTP_Method":"GET", "RETURN_SUCCESS":"ID" }
5.4. Token configuration 23 privacyIDEA Documentation, Release 1.4
This will consturct an HTTP GET request like this: http://api.clickatell.com/http/sendmsg?user=YOU&password=YOU&\ api_id=YOUR API ID&text=....&to=.... where text and to will contain the OTP value and the mobile phone number. privacyIDEA will assume a successful sent SMS if the response contains the text “ID”.
Sipgate provider
The sipgate provider connects to https://samurai.sipgate.net/RPC2 and takes only two arguments USERNAME and PASSWORD. The arguments have to be passed in a dictionary like this: {"USERNAME":"youruser", "PASSWORD":"yourpassword"}
Note: You need to use double quotes around the values.
If you activate debug log level you will see the submitted SMS and the response content from the Sipgate gateway.
5.5 privacyIDEA setup tool
Starting with 1.3.3 privacyIDEA comes with a graphical setup tool to manage your token administrators and RADIUS clients. Thus you will get a kind of appliance experience. To install all necessary components read Appliance. To configure the system, login as the user root on your machine and run the command: privacyidea-setup-tui
This will bring you to this start screen.
Figure 5.3: Start screen of the appliance setup tool.
You can configure privacyidea settings, the log level, administrators, encryption key and much more. You can configure the webserver settings and RADIUS clients. All changes done in this setup tool are directly read from and written to the corresponding configuration files. The setup tool parses the original nginx and freeradius configuration files. So there is no additional place where this data is kept.
24 Chapter 5. Configuration privacyIDEA Documentation, Release 1.4
Figure 5.4: Configure privacyidea
Figure 5.5: You can create new token administrators, delete them and change their passwords.
Figure 5.6: In the FreeRADIUS settings you can create and delete RADIUS clients.
5.5. privacyIDEA setup tool 25 privacyIDEA Documentation, Release 1.4
Note: You can also edit the clients.conf and other configuration files manually. The setup tool will also read those manual changes!
26 Chapter 5. Configuration CHAPTER SIX
TOKENVIEW
The administrator can see all the tokens of all realms he is allowed to manage in the tokenview. Each token can be located in several realms and be assigned to one user. The administrator can see all the details of the token. The administrator can select one or more tokens to perfom actions on the selected tokens.
6.1 Functions for one token
The buttons on the top Lost token, Token info, Resync Token, set token realm and get OTP are functions that work on one single token.
6.1.1 Lost token
When a user has lost a token, the administrator can create a temporary password token for the user to login. The administrator has to select the token that was lost and click the button Lost token. A new token of type PW is generated. The OTP PIN of the old token is automatically copied to the new token. Thus the administrator does not know the OTP PIN, while the user can use his old PIN. A long password is displayed to the administrator and the administrator can read this password to the user. The user now can authenticate with his old OTP PIN and the long password. The lost token is deactivated.
6.1.2 Token info
The Token info button opens a new dialog. In tokeninfo you can change the following settings: MaxFail and FailCount If the login fail counter reaches the MaxFail the user can not login with this token anymore. The Failcounter FailCount has to be reset to zero. TokenDesc The token description is also displayed in the tokenview. You can set a description to make it easier to identify a token. CountWindow
27 privacyIDEA Documentation, Release 1.4
Figure 6.1: The tokeninfo dialog with all token details
28 Chapter 6. Tokenview privacyIDEA Documentation, Release 1.4
The CountWindow is the look ahead window of event based tokens. If the user pressed the button on an event based token the counter in the token is increased. If the user does not use this otp value to authenticate, the server does not know, that the counter in the token was increased. This way the counter in the token can get out of sync with the server. SyncWindow If a token was out of sync (see CountWindow), then it needs to be synchronized. This is done by enter- ing two consecutive OTP values. The server searches these two values within the next CountWindow (default 1000) values. OtpLen This is the length of the OTP value that is generated by the token. The password that is entered by the user is splitted according to this length. 6 or 8 characters are splitted as OTP value and the rest is used as static password (OTP PIN). Hashlib The HOTP algorith can be used with SHA1 or SHA256. Auth max The administrator can set a value how often this token may be used for authentication. If the number of authentication try exceed this value, the token can not be used, until this Auth max value is increased.
Note: This way you could create tokens, that can be used only once.
Auth max success The administrator can set a value how often this token may be used to successfully authenticate. Valid start A timestamp can be set. The token will only be usable for authentication after this start time. Valid end A timestamp can be set. The token can only be used before this end time.
Note: This way you can create temporary tokens for guests or short time or season employees.
6.1.3 Resync Token
The administrator can select one token and then enter two consecutive OTP values to resynchonize the token if it was out of sync.
6.1.4 set token realm
A token can be assigned to several realms. This is important if you have administrators for different realms. A realm administrator is only allowed to see tokens within his realms. He will not see tokens, that are not in his realm. So you can assign a token to realm A and realm B, thus the administrator A and the administrator B will be able to see the token.
6.1. Functions for one token 29 privacyIDEA Documentation, Release 1.4
6.1.5 get OTP
If the corresponding getOTP policy (Policies) is set, the administrator can get the OTP values of a token from the server without having the token with him.
Note: Of course this is a potential backdoor, since the administrator could login as the user/owner of this very token.
6.2 Functions for multiple tokens
On the left side there are buttons for functions, that can be performed on several tokens at once. The administrator can select multiple tokens and click on of the buttons.
6.2.1 enroll
For this function you do not need to select any token. But you can select a user on the userview, then the token to be enrolled will be directly assigend to this user. When enrolling the token, you can choose, which token type you want to enroll. After enrolling the token, you can set a OTP PIN for this token.
6.2.2 assign
This function is used to assign a token to a user. The administrator can select one user on the userview and then select several tokens on the tokenview. Clicking the button assign will assign all tokens to the selected user.
6.2.3 unassign
The administrator can select several tokens and click the button unassign. If a token is unassigned it does not belong the user anymore. The user can not use this token to authenticate.
6.2.4 enable
If a token is disabled, it can be enabled again.
6.2.5 disable
Tokens can be disabled. Disabled tokens still belong to the assigned user but those tokens can not be used to authenti- cate. Disabled tokens can be enabled again.
6.2.6 set PIN
You can set the OTP PIN or the mOTP PIN for tokens.
30 Chapter 6. Tokenview privacyIDEA Documentation, Release 1.4
6.2.7 Reset Failcounter
If a used locked his token, since he entered wrong OTP values or wrong OTP PINs, the fail counter has reached the mail failcount. The administrator or help desk user can select those tokens and click the button reset failcounter to reset the fail counter to zero. The tokens can be used for authentication again.
6.2.8 delete
Selecting tokens and clicking the button delete will remove the tokens from the database. The token information can not be recovered. But all events that occured with this token still remain in the audit log.
6.3 Columns
The columns of the tokenview can be rearranged and you can sort the columns. Underneath the list is a search field. You can search for tokens with certain criteria in the columns. You can use the wildcard “*”. You could dearch for “10” in the column “count”, thus finding all tokens that have reached the maximum fail count. The list of the tokens provides detailed information on the tokens. active This indicates if the token is enabled or disabled. username This is the username of the user the token is assigned to. This is the name that is used to login.
Note: If it displays /:no user info:/ this indicates that the UserIdResolver is not able to determine the login- name/username. You should check the UserIdResolver and the log file for errors.
realm A token can be assigned to several realms. This column either displays one realm or several realms. count This is the failcounter. You can keep track, if the user has problems logging in. If this value reaches the max failcount the token can not be used to authenticate anymore until the failcounter is resetted. max failcount This works with the count column. userid / resolver These columns represent the assignment to the user. Depending on the resolver and type of resolver the userid can look different. This can be an integer, a distinguished name or an objectGUID or entryUUID.
6.3. Columns 31 privacyIDEA Documentation, Release 1.4
32 Chapter 6. Tokenview CHAPTER SEVEN
USERVIEW
The administrator can see all users in realms he is allowed to manage.
Note: Users are only visible, if the useridresolver is located within a realm. If you only define a useridresolver but no realm, you will not be able to see the users!
You can select one of the realms in the left drop down box. The administrator will only see the realms in the drop down box, that he is allowed to manage. The list shows the users from the select realm. The username, surname, given name, email and phone are filled according to the definition of the useridresolver. Even if a realm contains several useridresolvers all users from all resolvers within this realm are displayed. As privacyIDEA only reads users from user sources the actions you can perform on the users are limited.
Note: You can not create or modify users in privacyIDEA!
7.1 Enroll tokens
The usual action to do is to enroll a token. To enroll a token to a specific user you can search for the user, select the user and then click the button enroll on the left side. In the enrollment dialog you can choose which token type you want to enroll.
7.2 Assign tokens
If you want to assign an existing token to a user, you need to select the user and select the token in the Tokenview and then you can click the button assign.
33 privacyIDEA Documentation, Release 1.4
34 Chapter 7. Userview CHAPTER EIGHT
POLICIES
Policies can be used to define the reaction and behaviour of the system. Each policy defines the behaviour in a certain area, called scope. privacyIDEA knows the scopes:
8.1 Admin policies
Admin policies are used to regulate the actions that administrators are allowed to do. Technically admin policies controll the use of the Admin Controller and are checked using the method getAdminPolicies of the Policy Class. The user in the admin policies refers to the administrator. All administrative actions also refer to the defined realm. Meaning and administrator may have many rights in one realm and only a few rights in another realm. Creating a policy with scope:admin, user:frank, action:enable and realm:sales means that the ad- ministrator Frank is allowed to enable tokens in the realm sales.
Note: As long as no admin policy is defined all administrators are allowed to do everything.
Note: In the scope admin you can use the wildcard “*” in the actions to create a superuser, who is allowed to do everything.
The following actions are available in the scope admin:
8.1.1 init type: bool There are init actions per token type. Thus you can create policy that allow an administrator to enroll SMS tokens but not to enroll HMAC tokens.
8.1.2 enable type: bool The enable action allows the administrator to activate disabled tokens.
35 privacyIDEA Documentation, Release 1.4
8.1.3 disable type: bool Tokens can be enabled and disabled. Disabled tokens can not be used to authenticate. The disable action allows the administrator to disable tokens.
8.1.4 set type: bool Tokens can have additional token information, which can be viewed in the tokeninfo dialog (see Token info). If the set action is defined, the administrator allowed to set those token information.
8.1.5 setOTPPIN type: bool If the setOTPPIN action is defined, the administrator is allowed to set the OTP PIN of a token.
8.1.6 setMOTPPIN type: bool If the setMOTPPIN action is defined, the administrator is allowed to set the mOTP PIN of an mOTP token.
8.1.7 resync type: bool If the resync action is defined, the administrator is allowed to resynchronize a token.
8.1.8 assign type: bool If the assign action is defined, the administrator is allowed to assign a token to a user. This is used for assigning an existing token to a user but also to enroll a new token to a user. Without this action, the administrator can not create a connection (assignment) between a user and a token.
8.1.9 unassign type: bool If the unassign action is defined, the administrator is allowed to unassign tokens from a user. I.e. the administrator can remove the link between the token and the user. The token still continues to exist in the system.
36 Chapter 8. Policies privacyIDEA Documentation, Release 1.4
8.1.10 import type: bool If the import action is defined, the administrator is allowed to import token seeds from a token file, thus creating many new token objects in the systems database.
8.1.11 remove type: bool If the remove action is defined, the administrator is allowed to delete a token from the system.
Note: If a token is removed, it can not be recovered.
Note: All audit entries of this token still exist in the audit log.
8.1.12 userlist type: bool If the userlist action is defined, the administrator is allowed to view the user list in a realm. An administrator might not be allowed to list the users, if he should only work with tokens, but not see all users at once.
Note: If an administrator has any right in a realm, the administrator is also allowed to view the token list.
8.1.13 checkstatus type: bool If the checkstatus action is defined, the administrator is allowed to check the status of open challenge requests.
8.1.14 manageToken type: bool If the manageToken action is defined, the administrator is allowed to manage the realms of a token. A token may be located in multiple realms. This can be interesting if you have a pool of spare tokens and several realms but want to make the spare tokens available to several realm administrators. (Administrators, who have only rights in one realm) Then all administrators can see these tokens and assign the tokens. But as soon as the token is assigned to a user in one realm, the administrator of another realm can not manage the token anymore.
8.1.15 getserial type: bool If the getserial action is defined, the administrator is allowed to calculate the token serial number for a given OTP value.
8.1. Admin policies 37 privacyIDEA Documentation, Release 1.4
Figure 8.1: The tool to determine the token serial number for a given OTP value
38 Chapter 8. Policies privacyIDEA Documentation, Release 1.4
8.1.16 copytokenuser type: bool If the copytokenuser action is defined, the administrator is allowed to copy the user assignment of one token to another. This functionality is also used during the lost token process. But you only need to define this action, if the administrator should be able to perform this task manually.
8.1.17 copytokenpin type: bool If the copytokenpin action is defined, the administrator is allowed to copy the OTP PIN from one token to another without knowing the PIN. This functionality is also used during the lost token process. But you only need to define this action, if the administrator should be able to perform this task manually.
8.1.18 losttoken type: bool If the losttoken action is defined, the adminstrator is allowed to perform the lost token process. To only perform the lost token process the actions copytokenuser and copytokenpin are not necessary!
8.1.19 getotp type: bool If the getserial action is defined, the administrator is allowed to retrieve OTP values for a given token.
8.2 System policies
System policies are used to regulate the configuration of the system. This is defining useridresolvers and realms, setting token defaults and defining system configuration. If no system policy is defined, each administrator is allowed to do everything in the scope system. Technically system policies controll if the administrator is able to write to the database table Config or if the adminis- trator can use of the System Controller. System policies are checked using the method getAuthorization of the Policy Class. The user in the system policies refers to the administrator.
Note: System policies do not make use of realms!
Warning: Creating policies is an act of writing the system configuration. So if you define admin policies and do not define system policies, every administrator can still change the policies! The recommended way is to create your admin policies and then create the system policies.
The following actions are available in the scope system:
8.2. System policies 39 privacyIDEA Documentation, Release 1.4
8.2.1 read
type: bool The administrator is allowed to read the system configuration. A token administrator might not be allowed to read system configuration to avoid letting him know which realms and userresolvers exist.
8.2.2 write
type: bool The administrator is allowed to write system configuration.
8.3 Selfservice policies
In the selfservice portal users can manage their own tokens. User can login to the selfservice portal with the username of their useridresolver. I.e. if a user is found in an LDAP resolver pointing to Active Directory the user needs to login with his domain password. Selfservice policies are used to define, which actions users are allowed to perform in the selfservice portal. Selfservice policies are defined per realm. You can enter the wildcard “*” as realm or you can enter a comma seperated realm list. The selfservice policies also respect the client input, where you can enter an IP address or a subnet (like 10.2.0.0/16). Using the client parameter you can allow different actions in selfservice if the user either logs in from the internal network or remotely from the internet via the firewall.
Note: The user in the selfservice policy can contain a list of users and also resolvers, which are identified by a ”:”. The notation is user:resolver. A policy containing user=:resolver1 will only be valid for the users in resolver1.
Technically selfservice policies control the use of the Selfservice Controller and are checked using the method getSelfserviceActions of the Policy Class.
Note: If no selfservice policy is defined, the user has no actions available in the selfservice portal.
Note: In the scope selfservice you can use the wildcard “*” in the realm parameter but not in the action parameter. You need to specify each action, the user should be allowed to use.
The following actions are available in the scope selfservice:
8.3.1 enroll
type: bool There are enroll actions per token type. Thus you can create policy that allow the user to enroll SMS tokens but not to enroll HMAC tokens.
8.3.2 assgin
type: bool
40 Chapter 8. Policies privacyIDEA Documentation, Release 1.4
The user is allowed to assgin an existing token, that is located in his realm and that does not belong to any other user, by entering the serial number.
8.3.3 disable type: bool The user is allowed to disable his own tokens. Disabled tokens can not be used to authenticate.
8.3.4 enable type: bool The user is allowed to enable his own tokens.
8.3.5 delete type: bool The user is allowed to delete his own tokens from the database. Those tokens can not be recovered. Anyway, the audit log concerning these tokens remains.
8.3.6 unassign type: bool The user is allowed to drop his ownership of the token. The token does not belong to any user anymore and can be reassigned.
8.3.7 resync type: bool The user is allowed to resynchronize the token if it has got out of synchronization.
8.3.8 reset type: bool The user is allowed to reset the failcounter of the token.
8.3.9 setOTPPIN type: bool The user ist allowed to set the OTP PIN for his tokens.
8.3. Selfservice policies 41 privacyIDEA Documentation, Release 1.4
8.3.10 setMOTPPIN type: bool The user is allowed to set the mOTP PIN of mOTP tokens.
8.3.11 getotp type: bool The user is allowed to retrieve OTP values from a token.
8.3.12 otp_pin_maxlength type: integer range: 0 - 100 This is the maximum allowed PIN length the user is allowed to use when setting the OTP PIN.
8.3.13 otp_pin_minlength type: integer range: o - 100 This is the minimum required PIN the user must use when setting the OTP PIN.
8.3.14 otp_pin_contents type: string contents: cnso+- This defines what characters an OTP PIN should contain when the user sets it. c are letters matching [a-zA-Z]. n are digits mathcing [0-]. s are special characters matching [.:,;-_<>+*!/()=?$§%&#~^] o are other characters.
Note: You can change these character definitions in the privacyidea.ini file using privacyideaPolicy.pin_c, privacyideaPolicy.pin_n and privacyideaPolicy.pin_s.
Example: The policy action otp_pin_contents=cn, otp_pin_minlength=8 would require the user to choose OTP PINs that consist of letters and digits which have a minimum length of 8. The logic of the otp_pin_contents can be enhanced and reversed using the characters + and -. -cn would still mean, that the OTP PIN needs to contain letters and digits and it must not contain any other characters. cn test1234 and test12$$ would be valid OTP PINs. testABCD would not be a valid OTP PIN. -cn
42 Chapter 8. Policies privacyIDEA Documentation, Release 1.4
test1234 would be a valid OTP PIN, but test12$$ and testABCS would not be valid OTP PINs. The later since it does not contain digits, the first (test12$$) since it does contain a special character ($), which it should not. +cn combines the two required groups. I.e. the OTP PIN should contain characters from the sum of the two groups. test1234, test12$$, test and 1234 would all be valid OTP PINs.
8.3.15 activateQR type: bool The user is allowed to enroll a QR token.
8.3.16 webprovisionOATH type: bool The user is allowed to enroll an HMAC token using the QR code for the OATH token iOS app.
8.3.17 webprovisionGOOGLE type: bool The uses is allowed to enroll a Google Authenticator event based using the QR code for the Google Authenticator.
8.3.18 webprovisionGOOGLEtime type: bool The user is allowed to enroll a Google Authenticator time based using the QR code for the Google Authenticator.
8.3.19 max_count_dpw type: integer This works together with the getotp action. This is the maximum number of OTP values the user may retrieve from DPW tokens.
8.3.20 max_count_hotp type: integer This works together with the getotp action. This is the maximum number of OTP values the user may retrieve from HOTP tokens.
8.3.21 max_count_totp type: integer This works together with the getotp action. This is the maximum number of OTP values the user may retrieve from TOTP tokens.
8.3. Selfservice policies 43 privacyIDEA Documentation, Release 1.4
8.3.22 history type: bool This action allows the user to view and search the audit log for actions with his own tokens.
8.3.23 getserial type: bool This action allows the user to search for the serial number of an unassigned token by entering an OTP value.
8.3.24 auth type: string If this action is set to auth=otp, the users need to authenticate against privacyIDEA when logging into the selfservie portal. I.e. they can not login with their domain password anymore but need to authenticate with one of their tokens.
Note: To have this action working correctly, you need to set the parameter privacyideaURL in the privacyidea.ini file.
Warning: If you set this action and the user deletes or disables all his tokens, he will not be able to authenticate anymore.
Note: A sensible way to use this, is to combine this action in a policy with the client parameter: requiring the users to login to the selfservice portal remotely from the internet with OTP but still login from within the LAN with the domain password.
8.4 Enrollment policies
The scope enrollment defines what happens during enrollment either by an administrator or during the user self enroll- ment. Enrollment policies take the realms, the client (see Policies) and the user settings into account. Technically enrollment policies control the use of the init and assign-methods in the Admin Controller and Selfservice Controller. Several functions are used from the Policy Class. The following actions are available in the scope enrollment:
8.4.1 tokencount type: int This is the maximum allowed number of tokens in the specified realm.
Note: If you have several realms with realm admins and you imported a pool of hardware tokens you can thus limit the consumed hardware tokens per realm.
44 Chapter 8. Policies privacyIDEA Documentation, Release 1.4
8.4.2 maxtoken type: int Limit the maximum number of tokens per user in this realm.
Note: If you do not set this action, a user may have unlimited tokens assigned.
8.4.3 otp_pin_random type: int Generates a random OTP PIN during self enrollment. Thus the user is forced to set a certain OTP PIN.
Note: At the moment this randomly generated PIN is not used. It could be used to be sent via a PIN letter in the future.
8.4.4 otp_pin_encrypt type: int values: 0 or 1 If set to 1 the OTP PIN of a token will be encrypted. The default behaviour is to hash the OTP PIN, which is safer.
8.4.5 tokenlabel type: string This sets the label for a newly enrolled Google Authenticator. Possible tags to be replaces are for user, for the serial number. The default behaviour is to use the serial number.
Note: This is useful to identify the token in the Authenticator App.
8.4.6 autoassignment type: int value: 6 or 8 Users can assign a token just by using this token. The user can take a token from a pool of unassigned tokens. When this policy is set, and the user has no token assigned, autoassignment will be done: The user authenticates with his user store (e.g. LDAP) password together with the OTP value of the not-assigned-token. The system will check the password and try to identify the token and check the OTP value. Therefor the action needs to contain the length of the OTP value (either 6 or 8). If it succeeds the token gets assigned to the user, the OTP PIN is set and the user is successfully authenticated.
8.4. Enrollment policies 45 privacyIDEA Documentation, Release 1.4
8.4.7 ignore_autoassignment_pin type: bool If this action is set, the assigned token does not get a PIN during autoassignment.
8.4.8 lostTokenPWLen type: int This is the length of the generated password for the lost token process.
8.4.9 lostTokenPWContents type: string This is the contents that a generated password for the lost token process should have. You can use • c: for lowercase letters • n: for digits • s: for special characters (!#$%&()*+,-./:;<=>?@[]^_) • C: for uppercase letters Example: The action lostTokenPWLen=10, lostTokenPWContents=Cns could generate a password like AC#!49MK)).
8.4.10 lostTokenValid type: int This is how many days the replacement token for the lost token should be valid. After this many days the replacement can not be used anymore.
8.5 Authentication policies
The scope authentication gives you more detailed possibilities to authenticate the user or to define what happens during authentication. Authentication polcies take the realm, the user and the client into account. Technically the authentication policies apply to the Validate Controller. The following actions are available in the scope authentication:
8.5.1 smstext type: string This is the text that is sent via SMS to the user trying to authenticate with an SMS token. You can use the tags
46 Chapter 8. Policies privacyIDEA Documentation, Release 1.4
8.5.2 otppin type: int This action defines how the fixed password part during authentication should be validated. Each token has its own OTP PIN, but you can choose how the authentication should be processed: otppin=0 This is the default behaviour. The user needs to pass the OTP PIN concatenated with the OTP value. otppin=1 The user needs to pass the user store password concatenated with the OTP value. It does not matter if the OTP PIN is set or not. If the user is located in an Active Directory the user needs to pass his domain password together with the OTP value.
Note: The domain password is checked with an LDAP bind right at the moment of authentication. So if the user is locked or the password was changed authentication will fail. otppin=2 The user does not have to pass any fixed password. Authentication is only done via the OTP value.
8.5.3 autosms type: bool A new OTP value will be sent via SMS if the user authenticated successfully with his SMS token. Thus the user does not have to trigger a new SMS when he wants to login again.
8.5.4 passthru type: bool If the user has no token assigned, he will be authenticated against the UserIdResolver, i.e. he needs to provide the LDAP- or SQL-password.
Note: This is a good way to do a smooth enrollment. Users having a token enrolled will have to use the token, users not having a token, yet, will be able to authenticate with their domain password.
Warning: If the user has the right to delete his tokens in selfservice portal, the user could delete all his tokens and then authenticate with his static password again.
8.5.5 passOnNoToken type: bool If the user has no token assigned an authentication request for this user will always be true.
Warning: Only use this if you know exactly what you are doing.
8.5. Authentication policies 47 privacyIDEA Documentation, Release 1.4
8.5.6 qrtanurl
type: string This is the URL for the half automatic mode of the QR token. To this URL the TAN/OTP value will be pushed.
8.5.7 challenge_response
type: string This is a list of token types for which challenge response can be used during authentication.
8.6 Authorization policies
The scope authorization provides means to define what should happen if a user prooved his identity and authenticated successfully. Authorization policies take the realm, the user and the client into account. Technically the authorization policies apply to the Validate Controller. The following actions are available in the scope authorization:
8.6.1 authorize type: bool If this is set, only this realm will be authorized from the certain client IP. As long as not policy action: authorize is set, all users and realms from all client IPs will be allowed.
Note: If you start to use the authorize-action you will need to define all authorizations for all realms and clients.
8.6.2 tokentype
type: string Users will only be auhorized with this very tokentype. The string can hold a comma seperated list of case insensitive tokentypes.
Note: Combining this with the client IP you can use this to allow remote access to sensitive areas only with one special token type while allowing access to less sensitive areas with other token types.
8.6.3 serial
type: string Users will only be authorized with the serial number. The string can hold a regular expression as serial number.
Note: Combining this with the client IP you can use this to allow remote access to sensitive areas only with hardware tokens like the Yubikey, while allowing access to less secure areas also with a Google Authenticator.
48 Chapter 8. Policies privacyIDEA Documentation, Release 1.4
8.6.4 setrealm
type: string This policy is checked before the user authenticates. The realm of the user matching this policy will be set to the realm in this action.
Note: This can be used if the user can not pass his realm when authenticating at a certain client, but the realm needs to be available during authentication since the user is not located in the default realm.
8.6.5 detail_on_success
type: bool If this action is set and the user authenticated successfully additional information will be returned: The realm, the username, the tokentype and the serial number.
8.6.6 detail_on_fail
type: bool If this action is set and the user failed to authenticate additional information about the error will be returned.
8.7 Audit policies
The scope audit onlcy contains one action. It handles the access to the Audit Controller. The user attribute of the policy contains a list of administrator names. To learn more about the audit log, see Audit.
8.7.1 view type: bool The administrators are allowed to view the audit log.
8.8 Machine policies
For the understanding of the idea of machines read Client machines. Machine polcies are used to rule the actions of creating machines and adding tokens and applications to ma- chines. Technically admin policies controll the use of the machine_controller and are checked using the method get_machine_manage_policies of the Policy Class. The user in the machine policies refers to the administrator.
Note: As long as no machine policy is defined all administrators are allowed to manage machines.
The following actions are available in the scope machine:
8.7. Audit policies 49 privacyIDEA Documentation, Release 1.4
8.8.1 create type: bool The administrator is allowed to create machine definitions.
8.8.2 delete type: bool The administrator can delete machine definitions.
8.8.3 show type: bool The administrator can list the machine definitions.
8.8.4 addtoken type: bool The administrator can add a token to a machine definition.
8.8.5 deltoken type: bool The administrator can delete a token from a machine definition.
8.8.6 showtoken type: bool The administrator can show the token assignments to the machines.
8.9 OCRA policies
The scope ocra defines who is allowed to access the OCRA methods. It controlls the access to the OCRA Controller. The following actions are available in the scope ocra:
8.9.1 request type: bool The administrator is allowed to issue OCRA requests ocra/request.
50 Chapter 8. Policies privacyIDEA Documentation, Release 1.4
8.9.2 status
type: bool The administratpr is allowed to check the transaction status.
8.9.3 activationcode
type: bool The administrator is allowed to create an activation code via ocra/getActivationCode.
8.9.4 calcOTP type: bool The administrator is allowed to calculate OTP values via ocra/calculateOTP.
8.10 Gettoken policies
The scope gettoken defines the maximum number of OTP values that may be retrieved from an OTP token by an administrator. The user attribute may hold a list of administrators. Technically the gettoken policies control the use of the Gettoken Controller. The following actions are available in the scope gettoken:
8.10.1 max_count_dpw
type: int This is the maximum number of OTP values that are allowed to be retrieved from a DPW token.
Note: Issuing only one OTP value per day, this means that this is the number of days, this OTP list can be used.
8.10.2 max_count_hotp
type: int This is the maximum number of OTP values that are allowed to be retrieved from an HOTP (HMAC) token.
Note: As hotp values only expire, when they are used, you can use this to create an OTP list, that can be used from the first to the last OTP value.
8.10. Gettoken policies 51 privacyIDEA Documentation, Release 1.4
8.10.3 max_count_totp type: int This is the maximum number of OTP balues that are allowed to be retrieved from a TOTP token.
Note: As the default TOTP token generates a new OTP value all 30 seconds, retrieving 100 OTP values will only give you OTP values, that are usable for 50 minutes.
You can define as many policies as you wish to. The logic of the policies in the scopes is additive.
Figure 8.2: policy definition
Each policy can contain the following attributes: policy name A unique name of the policy. The name is the identifier of the policy. If you create a new policy with the same name, the policy is overwritten.
52 Chapter 8. Policies privacyIDEA Documentation, Release 1.4
scope The scope of the policy as described above. action This is the important part of the policy. Each scope provides its own set of actions. An action describes that something is allowed or that some behaviour is configured. A policy can contain several actions, seperated with a comma. Some scopes allow to use the wildcard * which indicates that all actions are allowed. Actions can be of type boolean, string or integer. Boolean actions are enabled by just adding this action. string and integer actions need to be configured like this: action=
user This is the user, for whom this policy is valid. Depending on the scope the user is either an administrator or a normal authenticating user.
Note: In certain scopes the authentication user contain a list of users and also resolvers, which are identified by a ”:”. The notation is user:resolver. A policy containing user=:resolver1 will only be valid for the users in resolver1.
realm This is the realm, for which this policy is valid. client This is the requesting client, for which this action is valid. I.e. you can define different policies if the user access the selfservice from different IP addresses like the internal network or remotely via the firewall. You can enter an IP address or a subnet (like 10.2.0.0/16). time Not used, yet.
Note: Policies can be active or inactive. So be sure to activate a policy to get the desired effect.
8.10. Gettoken policies 53 privacyIDEA Documentation, Release 1.4
54 Chapter 8. Policies CHAPTER NINE
CLIENT MACHINES
Note: This is a very new concept and work in progress. It may enhance rapidly in future.
privacyIDEA lets you define client machines. The idea is for users to be able to authenticate on those client machines. Not in all cases an online authentication request is possible, so that authentication items can be passed to those client machines. In addition you need to define, which application on the client machine the user should authenticate to. Different application require different authentication items. Therefore privacyIDEA can define application types. At the moment privacyIDEA knows the application luks‘ and ‘‘ssh. You can write your own application class, which is defined in :ref:code_application_class. You need to assign an application and a token to a client machine. Each application type can work with certain token types and each application type can use additional parameters.
Note: Not all tokens work well with all applications!
9.1 SSH
Currently working token types: SSH Parameters: user (optional, default=root) When the SSH token type is assigned to a client, the user specified in the user paramter can login with the private key of the SSH token. To enroll SSH tokens to the client systems you have to use the privacyIDEA admin client. To distribute the SSH tokens the privacyIDEA admin client uses salt 1. In version 1.3 the command line interface of the admin client was heavily improved, so that you can simply distribute the SSH keys by calling the following command on the salt master: privacyidea-ssh-assign @secrets.txt
This script will call all SSH authentication items and will use salt to push these to the clients. The secrets.txt file contains the connection data to the privacyIDEA server. Thus you can check the access rights of secrets.txt and use this call in a cron job.
1 http://www.saltstack.com/
55 privacyIDEA Documentation, Release 1.4
The secrets.txt just takes the command line parameters and might look like this: --url https://localhost:5001 --admin admin@admin --password secretPassword
9.2 LUKS
Currently working token types: Yubikey Challenge Response Parameters: slot The slot to which the authentication information should be written partition The encrypted partition (usually /dev/sda3 or /dev/sda5) These authentication items need to be pulled on the client machine from the privacyIDEA server. Thus, the following script need to be executed with root rights (able to write to LUKS) on the client machine: privacyidea-luks-assign @secrets.txt --cleanslot --name salt-minion
For more information please see the man page of this tool.
56 Chapter 9. Client machines CHAPTER TEN
AUDIT
The systems provides a sophisticated audit log, that can be viewed in the WebUI. privacyIDEA comes with an SQL audit module. (see Audit log)
10.1 Cleaning up entries
The sqlaudit module writes audit entries to an SQL database. For performance reasons the audit module does no log rotation during the logging process. But you can set up a cron job to clean up old audit entries. You can specify a highwatermark and a lowwatermark. To clean up the audit log table, you can call the sqlaudit module at the command line: python privacyidea/lib/auditmodules/sqlaudit.py \ -f config/privacyidea.ini.example \ --low=5000 --high=10000
This will, if there are more than 10.000 log entries, clean all old log entries, so that only 5000 log entries remain.
57 privacyIDEA Documentation, Release 1.4
58 Chapter 10. Audit CHAPTER ELEVEN
TOOLS
The menu tools contains some helpful tools to manage your tokens.
11.1 Get Serial by OTP value
Here you can enter an OTP value and have the system identify the token. This can be useful if the printed serial number on the token can not be read anymore or if the hardware token has not serial number printed on it at all. You can choose the • tokentype • whether the token is an assigned token or not • and the realm of the token to set limits to the token search.
Warning: The system needs to got to all tokens and calculate the next (default) 10 OTP values. Depending on the number of tokens you have in the system this can be very time consuming!
11.2 Copy token PIN
Here you can enter a token serial number of the token from which you want to copy the OTP PIN and the serial number of the token to which you want to copy it. This function is also used in the lost token scenario. But the help desk can also use it if the administrator enrolls a new token to the user and 1. the user can not set the OTP PIN and 2. the administrator should not set or know the OTP PIN. Then the administrator can create a second token for the user and copy the OTP PIN (which only the user knows) of the old token to the new, second token.
11.3 Check Policy
If you have complicated policy settings you can use this dialog to determine if the policies behave as expected. You can enter the scope, the real, action user and client to “simulate” e.g. an authentication request.
59 privacyIDEA Documentation, Release 1.4
The system will tell you if any policy is triggered.
11.4 Export token information
Here you can export the list of the tokens to a CSV file.
Note: In the resolver you can define additional fields, that are usually not used by privacyIDEA. But you can add those fields to the export. Thus you can e.g. add special LDAP attributes in the list of the exported tokens.
11.5 Export audit information
Here you can export the audit information.
Warning: You should limit the export to a number of audit entries. As the audit log can grow very big, the export of 20.000 audit lines could result in blocking the system.
60 Chapter 11. Tools CHAPTER TWELVE
IMPORT
Seed files that contain the secret keys of hardware tokens can be imported to the system via the menu Import. The default import options are to import SafeNet XML file, OATH CSV files or Yubikey CSV files.
12.1 SafeNet XML
SafeNet XML (former Aladdin) files are usually shipped with SafeNet eToken PASS. Each token is contained in a
Note: Today usually SafeNet tokens are shipped with a .dat file. If you get such a file, please contact the mailing list.
12.2 OATH CSV
This is a very simple CSV file to import HOTP, TOTP or OATH tokens. You can also convert your seed easily to this file format, to import the tokens. The file format looks like this:
For OCRA tokens it looks like this:
1 http://tools.ietf.org/html/rfc6287#section-6
61 privacyIDEA Documentation, Release 1.4
12.3 Yubikey CSV
Here you can import the CSV file that is written by the Yubikey personalization tool 2. privacyIDEA can import all Yubikey modes, either Yubico mode or HOTP mode.
Note: There is an annoying drawback of the personalization tool: If you a initializing several HOTP yubikeys it will not write the serial number to the file.
2 http://www.yubico.com/products/services-software/personalization-tools/use/
62 Chapter 12. Import CHAPTER THIRTEEN
THE CODE DOCUMENTATON
13.1 UserIdResolvers
The useridresolver is responsible for getting userids for loginnames and vice versa. This base module contains the base class UserIdResolver.UserIdResolver and also the community class PasswdIdRe- solver.IdResolver, that is inherited from the base class.
13.1.1 Base class class privacyidea.lib.resolvers.UserIdResolver.UserIdResolver
checkPass(uid, password) This function checks the password for a given uid. - returns true in case of success - false if password does not match close() Hook to close down the resolver after one request classmethod getResolverClassDescriptor() return the descriptor of the resolver, which is - the class name and - the config description Returns resolver description dict Return type dict classmethod getResolverClassType() provide the resolver type for registration getResolverDescriptor() return the descriptor of the resolver, which is - the class name and - the config description Returns resolver description dict Return type dict getResolverId() get resolver specific information :return: the resolver identifier string - empty string if not exist getResolverType() getResolverType - return the type of the resolver Returns returns the string ‘ldapresolver’ Return type string getUserId(LoginName)
63 privacyIDEA Documentation, Release 1.4
•returns the identifier string •empty string if not exist getUserInfo(UserID) This function returns all user information for a given user object identified by UserID.
Returns dictionary, if no object is found, the dictionary is empty
getUserList(serachDict) This function finds the user objects, that have the term ‘value’ in the user object field ‘key’ Parameters searchDict – dict with key values of user attributes - the key may be something like ‘loginname’ or ‘email’ the value is a regular expression. Returns list of dictionaries (each dictionary contains a user object) or an empty string if no object is found. getUsername(userid) Returns the username/loginname for a given userid :param userid: The userid in this resolver :type userid: string :return: username :rtype: string
13.1.2 PasswdResolver class privacyidea.lib.resolvers.PasswdIdResolver.IdResolver
checkPass(uid, password) This function checks the password for a given uid. - returns true in case of success - false if password does not match We do not support shadow passwords at the moment. so the seconds column of the passwd file needs to contain the crypted password checkUserId(line, pattern) check for the userId checkUserName(line, pattern) check for user name close() request hook - to close down resolver object classmethod getResolverClassDescriptor() return the descriptor of the resolver, which is - the class name and - the config description Returns resolver description dict Return type dict getResolverId(LoginName) •returns the resolver identifier string •empty string if not exist getSearchFields(searchDict=None) show, which search fields this userIdResolver supports TODO: implementation is not completed Parameters searchDict – fields, which should be queried
64 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
Returns dict of all searchFields getUserId(LoginName) search the user id from the login name Parameters LoginName – the login of the user Returns the userId getUserInfo(userId, no_passwd=False) get some info about the user as we only have the loginId, we have to traverse the dict for the value Parameters • userId – the to be searched user • no_passwd – retrun no password Returns dict of user info getUserList(searchDict) get a list of all users matching the search criteria of the searchdict Parameters searchDict – dict of search expressions getUsername(userId) Returns the username/loginname for a given userid :param userid: The userid in this resolver :type userid: string :return: username :rtype: string loadConfig(configDict) The UserIdResolver could be configured from the pylons app config - here this could be the passwd file , whether it is /etc/passwd or /etc/shadow loadFile() init loads the /etc/passwd user and uid as a dict for / user loginname lookup classmethod setup(config=None, cache_dir=None) this setup hook is triggered, when the server starts to serve the first request Parameters config (the privacyidea config dict) – the privacyidea config
13.1.3 LDAPResolver class privacyidea.lib.resolvers.LDAPIdResolver.IdResolver
checkPass(uid, password) This function checks the password for a given uid. - returns true in case of success - false if password does not match getResolverId() Returns the resolver Id This should be an Identifier of the resolver, preferable the type and the name of the resolver. getUserId(LoginName) resolve the loginname to the userid. Parameters LoginName (string) – The login name from the credentials Returns UserId as found for the LoginName getUserInfo(userId) This function returns all user info for a given userid/object.
13.1. UserIdResolvers 65 privacyIDEA Documentation, Release 1.4
Parameters userId (string) – The userid of the object Returns A dictionary with the keys defined in self.userinfo Return type dict getUserList(searchDict) Parameters searchDict (dict) – A dictionary with search parameters Returns list of users, where each user is a dictionary getUsername(userId) Returns the username/loginname for a given userid :param userid: The userid in this resolver :type userid: string :return: username :rtype: string loadConfig(config, conf ) Load the config from conf. Parameters • config (dict) – The configuration from the Config Table • conf (string) – the instance of the configuration
The information which config entries we need to load is taken from manage.js: function save_ldap_config ‘#ldap_uri’: ‘LDAPURI’, ‘#ldap_basedn’: ‘LDAPBASE’, ‘#ldap_binddn’: ‘BINDDN’, ‘#ldap_password’: ‘BINDPW’, ‘#ldap_timeout’: ‘TIMEOUT’, ‘#ldap_sizelimit’: ‘SIZELIMIT’, ‘#ldap_loginattr’: ‘LOGINNAMEATTRIBUTE’, ‘#ldap_searchfilter’: ‘LDAPSEARCHFILTER’, ‘#ldap_userfilter’: ‘LDAPFILTER’, ‘#ldap_mapping’: ‘USERINFO’, ‘#ldap_uidtype’: ‘UIDTYPE’, ‘#ldap_noreferrals’ : ‘NOREFERRALS’, ‘#ldap_certificate’: ‘CACERTIFICATE’,
classmethod setup(config=None, cache_dir=None) this setup hook is triggered, when the server starts to serve the first request Parameters config (the privacyidea config dict) – the privacyidea config classmethod testconnection(*args, **kwds) This function lets you test the to be saved LDAP connection. This is taken from controllers/admin.py Parameters param (dict) – A dictionary with all necessary parameter to test the connection. Returns Tuple of success and a description Return type (bool, string)
Parameters are: BINDDN, BINDPW, LDAPURI, TIMEOUT, LDAPBASE, LOGINNAMEAT- TRIBUTE, LDAPSEARCHFILTER, LDAPFILTER, USERINFO, SIZELIMIT, NOREFERRALS, CACERTIFICATE
66 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
13.2 Audit log
13.2.1 Base class class privacyidea.lib.audit.AuditBase
audit_entry_to_dict(audit_entry) If the searchQuery returns an iteretor with elements that are not a dictionary, the audit module needs to provide this function, to convert the audit entry to a dictionary. getTotal(param, AND=True, display_error=True) This method returns the total number of audit entries in the audit store initialize_log(param) This method initialized the log state. The fact, that the log state was initialized, also needs to be logged. Therefor the same params are passed as i the log method. log(*args, **kwds) This method is used to log the data. It should hash the data and do a hash chain and sign the data search(param, AND=True, display_error=True, rp_dict=None) This function is used to search audit events. param: Search parameters can be passed. return: A list of dictionaries is return. Each list element denotes an audit event. This function is deprecated. searchQuery(search_dict, rp_dict) This function returns the audit log as an iterator on the result set() This function could be used to set certain things like the signing key. But maybe it should only be read from privacyidea.ini?
13.2.2 SQL Audit module class privacyidea.lib.auditmodules.sqlaudit.Audit This is the SQLAudit module, which writes the audit entries to an SQL database table. It requires the configu- ration parameters: privacyideaAudit.sql.url (default: sqlalchemy.url) getTotal(param, AND=True, display_error=True) This method returns the total number of audit entries in the audit store log(*args, **kwds) This method is used to log the data. It should hash the data and do a hash chain and sign the data search(search_dict, rp_dict) This function returns the audit log as a list of dictionaries. searchQuery(search_dict, rp_dict) This function returns the audit log as an iterator on the result
13.2. Audit log 67 privacyIDEA Documentation, Release 1.4
13.3 Controllers
privacyIDEA is an open solution for strong two-factor authentication with One Time Passwords. The core modules and basic necessary components are licensed under the AGPLv3, so that you are able to have a complete working open source solution. But privacyIDEA is also open as far as its modular architecture is concerned. privacyIDEA aims to not bind you to any decision of the authentication protocol or it does not dictate you where your user information should be stored. This is achieved by its new, totally modular architecture. This is the controller module. The controllers provide the Web API to communicate with privacyIDEA. You can use the following controllers: account - used for loggin in to the selfservice admin - API to manage the tokens audit - to search the audit trail auth - to do authentication tests error - to display errors gettoken - to retrieve OTP values license - to manage license manage - the Web UI openid - the openid interface selfservice - the selfservice UI system - to configure the system testing - for testing purposes validate - for authenticating/ OTP checking
13.3.1 Base class
class privacyidea.lib.base.BaseController(*args, **kw) BaseController class - will be called with every request before_identity_check(*args, **kwds) This is a function that can be called in the __before__ method to check the identity set_language(*args, **kwds) Invoke before everything else. And set the translation language
13.3.2 Admin Controller class privacyidea.controllers.admin.AdminController(*args, **kw) The privacyidea.controllers are the implementation of the web-API to talk to the privacyIDEA server. The Ad- minController is used for administrative tasks like adding tokens to privacyIDEA, assigning tokens or revoking tokens. The functions of the AdminController are invoked like this https://server/admin/
68 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
method admin/check_serial description: This function checks, if a given serial will be unique. It returns True if the serial does not yet exist and new_serial as a new value for a serial, that does not exist, yet arguments: serial - required- the serial to be checked returns: a json result with a new suggestion for the serial exception: if an error occurs an exception is serialized and returned checkstatus(*args, **kwds) show the status either •of one dedicated challenge •of all challenges of a token •of all challenges belonging to all tokens of a user
Parameters • transactionid/state – the transaction id of the challenge • serial – serial number of the token - will show all challenges • user – Returns json result of token and challenges
copyTokenPin(*args, **kwds) method: admin/copyTokenPin description: copies the token pin from one token to another arguments: • from - required - serial of token from • to - required - serial of token to returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned copyTokenUser(*args, **kwds) method: admin/copyTokenUser description: copies the token user from one token to another arguments: • from - required - serial of token from • to - required - serial of token to returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned disable(*args, **kwds) method: admin/disable
13.3. Controllers 69 privacyIDEA Documentation, Release 1.4
description: disables a token given by serial or all tokens of a user arguments: • serial - optional • user - optional returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned enable(*args, **kwds) method: admin/enable description: enables a token or all tokens of a user arguments: • serial - optional • user - optional returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned getSerialByOtp(*args, **kwds) method: admin/getSerialByOtp description: searches for the token, that generates the given OTP value. The search can be restricted by several critterions arguments: • otp - required. Will search for the token, that produces this OTP value • type - optional, will only search in tokens of type • realm - optional, only search in this realm • assigned - optional. 1: only search assigned tokens, 0: only search unassigned tokens returns: a json result with the serial exception: if an error occurs an exception is serialized and returned init(*args, **kwds) method: admin/init description: creates a new token. arguments: • otpkey - required - the hmac Key of the token • genkey - required - =1, if key should be generated. We either need otpkey or genkey • keysize - optional - either 20 or 32. Default is 20 • serial - required - the serial number/identifier of the token • description - optional
70 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
• pin - optional - the pin of the user pass • user - optional - login user name • realm - optional - realm of the user • type - optional - the type of the token • tokenrealm - optional - the realm a token should be put into • otplen - optional - length of the OTP value • hashlib - optional - used hashlib sha1 oder sha256 ocra arguments: for generating OCRA Tokens type=ocra you can specify the following parameters:
• ocrasuite - optional - if you do not want to use the default ocra suite OCRA-1:HOTP- SHA256-8:QA64 • sharedsecret - optional - if you are in Step0 of enrolling an OCRA/QR token the sharedsecret=1 specifies, that you want to generate a shared secret • activationcode - optional - if you are in Step1 of enrolling an OCRA token you need to pass the activation code, that was generated in the QRTAN-App
returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned loadtokens(*args, **kwds) method: admin/loadtokens description: loads a whole token file to the server arguments: • file - the file in a post request • type - the file type. returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned losttoken(*args, **kwds) method: admin/losttoken description: creates a new password token and copies the PIN and the user of the old token to the new token. The old token is disabled. arguments: • serial - serial of the old token returns: a json result with the new serial an the password exception: if an error occurs an exception is serialized and returned
13.3. Controllers 71 privacyIDEA Documentation, Release 1.4
remove(*args, **kwds) method: admin/remove description: deletes either a certain token given by serial or all tokens of a user arguments: • serial - optional • user - optional returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned reset(*args, **kwds) method: admin/reset description: reset the FailCounter of a Token arguments: user or serial - to identify the tokens returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned resync(*args, **kwds) method: admin/resync - resync a token to a new counter description: this function resync the token, if the counter on server side is out of sync with the physical token. arguments: • serial - serial or user required • user - s.o. • otp1 - the next otp to be found • otp2 - the next otp after the otp1 returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned set(*args, **kwds) method: admin/set description: this function is used to set many different values of a token. arguments: • serial - optional • user - optional • pin - optional - set OTP PIN • MaxFailCount - optional - set maximum fail counter of a token
72 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
• SyncWindow - optional - set synchronization window of a token • OtpLen - optional - set OTP Lenght of the token • CounterWindow - optional - set counter window (blank presses) • hashlib - optioanl - set hashing algo for HMAC tokens. This can be sha1, sha256, sha512 • timeWindow - optional - set synchronize window for timebased tokens (in seconds) • timeStep - optional - set timestep for timebased tokens (usually 30 or 60 seconds) • timeShift - optional - set shift or timedrift of this token • countAuthSuccessMax - optional - set maximum allowed successful authentications • countAuthSuccess - optional - set counter of the successful authentications • countAuth - optional - set counter of authentications • countAuthMax - optional - set maximum allowed authentication tries • validityPeriodStart - optional - set start date of the validity period. The token can not be used before this date • validityPeriodEnd - optional - set end date of the validaity period. The token can not be used after this date • phone - set the phone number for an SMS token returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned setPin(*args, **kwds) method: admin/set description: This function sets the smartcard PINs of a eTokenNG OTP. The userpin is used to store the mOTP PIN of mOTP tokens! !!! For setting the OTP PIN, use the function /admin/set! arguments: • serial - required • userpin - optional: store the userpin • sopin - optional: store the sopin returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned show(*args, **kwds) method: admin/show description: displays the list of the available tokens arguments: • serial - optional: only this serial will be displayed • user - optional: only the tokens of this user will be displayed. If the user does not exist, priva- cyidea will search tokens of users, who contain this substring.
13.3. Controllers 73 privacyIDEA Documentation, Release 1.4
TODO: This can be very time consuming and will be changed in the next release to use wild- cards. • filter - optional: takes a substring to search in table token columns • viewrealm - optional: takes a realm, only the tokens in this realm will be displayed • sortby - optional: sort the output by column • sortdir - optional: asc/desc • page - optional: reqeuest a certain page • pagesize- optional: limit the number of returned tokens • user_fields - optional: additional user fields from the userid resolver of the owner (user) • outform - optional: if set to “csv”, than the token list will be given in CSV returns: a json result with: { “head”: [], “data”: [ [row1], [row2] .. ] } exception: if an error occurs an exception is serialized and returned testresolver(*args, **kwds) method: admin/testresolver description: This method tests a useridresolvers configuration arguments: • type - “LDAP”: depending on the type there are other parameters: – “SQL” • LDAP: – BINDDN – BINDPW – LDAPURI – TIMEOUT – LDAPBASE – LOGINNAMEATTRIBUTE – LDAPSEARCHFILTER – LDAPFILTER – USERINFO – LDAPSEARCHFILTER – SIZELIMIT – NOREFERRALS – CACERTIFICATE • SQL: – Driver – Server – Port
74 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
– Database – User – Password – Table • SCIM: – Authserver – Resourceserver – Client – Secret – Map returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned tokenrealm(*args, **kwds) method: admin/tokenrealm - set the realms a token belongs to description: sets the realms of a token arguments: • serial - required - serialnumber of the token • realms - required - comma seperated list of realms unassign(*args, **kwds) method: admin/unassign - remove the assigned user from the token description: unassigns a token from a user. i.e. the binding between the token and the user is removed arguments: • serial - required - the serial number/identifier of the token • user - optional returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned userlist(*args, **kwds) method: admin/userlist - list all users description: lists the user in a realm arguments: •
13.3. Controllers 75 privacyIDEA Documentation, Release 1.4
a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned
13.3.3 System Controller class privacyidea.controllers.system.SystemController(*args, **kw) The privacyidea.controllers are the implementation of the web-API to talk to the privacyIDEA server. The Sys- temController is used to configure the privacyIDEA server. The functions of the SystemController are invoked like this https://server/system/
76 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
returns: a json result if deleting the realm was successful exception: if an error occurs an exception is serialized and returned delResolver(*args, **kwds) method: system/delResolver description: this function deletes an existing resolver All config keys of this resolver get deleted arguments: resolver - the name of the resolver to delete. returns: success state exception: if an error occurs an exception is serialized and returned getConfig(*args, **kwds) retrieve value of a defined configuration key, or if no key is given, the complete configuration is returned if an error occurs an exception is serialized and returned •remark: the assumption is, that the access to system/getConfig is only allowed to privileged users
Parameters key – generic configuration entry name (optional) Returns a json result with key value or all key + value pairs
getDefaultRealm(*args, **kwds) method: system/getDefaultRealm description: this function returns the default realm arguments: ./. returns: a json description of the default realm exception: if an error occurs an exception is serialized and returned getPolicy(*args, **kwds) method: system/getPolicy description: this function is used to retrieve the policies that you defined. arguments: • realm - (optional) will return all policies in the given realm • name - (optional) will only return the policy with the given name • scope - (optional) will only return the policies within the given scope • export - (optional) The filename needs to be specified as the third part of the URL like /sys- tem/getPolicy/policy.cfg. It will then be exported to this file. • display_inactive - (optional) if set, then also inactive policies will be displayed returns: a json result with the configuration of the specified policies exception: if an error occurs an exception is serialized and returned getPolicyDef(*args, **kwds) method: system/getPolicyDef description: This is a helper function that returns the POSSIBLE policy definitions, that can be used to define your policies. arguments: scope - optional - if given, the function will only return policy definitions for the given scope.
13.3. Controllers 77 privacyIDEA Documentation, Release 1.4
returns: the policy definitions of • allowed scopes • allowed actions in scopes • type of actions exception: if an error occurs an exception is serialized and returned getRealms(*args, **kwds) method: system/getRealms description: returns all realm definitinos as a json result. arguments: returns: a json result with a list of Realms exception: if an error occurs an exception is serialized and returned Either the admin has the policy scope=system, action=read or he is rights in scope=admin for some realms. If he does not have the system-read-right, then he will only see the realms, he is admin of. getResolver(*args, **kwds) method: system/getResolver description: this function retrieves the definition of the resolver arguments: resolver - the name of the resolver returns: a json result with the configuration of a specified resolver exception: if an error occurs an exception is serialized and returned getResolvers(*args, **kwds) method: system/getResolvers descriptions: returns a json list of all useridresolvers arguments: returns: a json result with a list of all available resolvers exception: if an error occurs an exception is serialized and returned importPolicy(*args, **kwds) method: system/importPolicy description: This function is used to import policies from a file. arguments: file - mandatory: The policy file in the POST request policies_flexi(*args, **kwds) This function is used to fill the policies tab Unlike the complex /system/getPolcies function, it only returns a simple array of the tokens. setConfig() set a configuration key or a set of configuration entries parameter could either be in the form key=..&value=.. or as a set of generic keyname=value pairs.
78 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
*remark: In case of key-value pairs the type information could be provided by an additional parame- ter with same keyname with the postfix ”.type”. Value could then be ‘password’ to trigger the storing of the value in an encrypted form
Parameters • key – configuration entry name • value – configuration value • type – type of the value: int or string/text or password password will trigger to store the encrypted value • description – additional information for this config entry
•or
Parameters pairs (key-value) – pair of &keyname=value pairs Returns a json result with a boolean “result”: true
setDefault() method: system/set description: define default settings for tokens. These default settings are used when new tokens are generated. The default settings will not affect already enrolled tokens. arguments: DefaultMaxFailCount - Default value for the maximum allowed authentication failures DefaultSyncWindow - Default value for the synchronization window DefaultCountWindow - Default value for the coutner window DefaultOtpLen - Default value for the OTP value length – usually 6 or 8
DefaultResetFailCount - Default value, if the FailCounter should be reset on successful authenti- cation [True|False]
returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned setDefaultRealm(*args, **kwds) method: system/setDefaultRealm description: this function sets the given realm to the default realm arguments: realm - the name of the realm, that should be the default realm returns: a json result with a list of Realms exception: if an error occurs an exception is serialized and returned setPolicy(*args, **kwds) method: system/setPolicy
13.3. Controllers 79 privacyIDEA Documentation, Release 1.4
description: Stores a policy that define ACL or behaviour of several different actions in privacyIDEA. The policy is stored as configuration values like this: Policy.
13.3.4 Selfservice Controller class privacyidea.controllers.selfservice.SelfserviceController(*args, **kw)
activateqrtoken() return the form for an qr token activation assign() In this form the user may assign an already existing Token to himself. For this, the user needs to know the serial number of the Token. custom_style() In case the user hasn’t defined a custom css, Pylons calls this action. Return an empty file instead of a 404 (which would mean hitting the debug console) delete() In this form the user may select a token of his own and delete this token.
80 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
disable() In this form the user may select a token of his own and disable this token. enable() In this form the user may select a token of his own and enable this token. getotp() In this form, the user can retrieve OTP values history() This is the form to display the history table for the user index() This is the redirect to the first template load_form(*args, **kwds) This shows the enrollment form for a requested token type. implicit parameters are: Parameters • type – token type • scope – defines the rendering scope Returns rendered html of the requested token reset() In this form the user can reset the Failcounter of the Token. resync() In this form, the user can resync an HMAC based OTP token by providing two OTP values setmpin() In this form the user my set the PIN for his mOTP application soft token on his phone. This is the pin, he needs to enter on his phone, before a otp value will be generated. setpin() In this form the user may set the OTP PIN, which is the static password he enters when logging in in front of the otp value. token_call(*args, **kwds) the generic method call for an dynamic token unassign() In this form the user may select a token of his own and unassign this token. useractivateocratoken(*args, **kwds) useractivateocratoken - called from the selfservice web ui to activate the OCRA token Parameters • type (string) – ‘ocra’ • serial (string) – serial number of the token • activationcode (string - activationcode format) – the calculated activation code Returns dict about the token Return type { ‘activate’: True, ‘ocratoken’ [{] ‘url’ : url, ‘img’ : ‘’, ‘label’ : “%s@%s”% (self.authUser.login,
13.3. Controllers 81 privacyIDEA Documentation, Release 1.4
self.authUser.realm), ‘serial’ : serial, }} userassign(*args, **kwds) This is the internal assign function that is called from within the self service portal userdelete(*args, **kwds) This is the internal delete token function that is called from within the self service portal The user is only allowed to delete token, that belong to him. userdisable(*args, **kwds) This is the internal disable function that is called from within the self service portal userenable(*args, **kwds) This is the internal disable function that is called from within the self service portal to enable a token userfinshocra2token(*args, **kwds) userfinshocra2token - called from the selfservice web ui to finish the OCRA2 token to run the final check_t for the token
Parameters • passw (string) – the calculated verificaton otp • transactionid (string) – the transactionid Returns dict about the token Return type { ‘result’ = ok ‘failcount’ = int(failcount) }
userfinshocratoken(*args, **kwds) userfinshocratoken - called from the selfservice web ui to finish the OCRA token to run the final check_t for the token
Parameters • passw (string) – the calculated verificaton otp • transactionid (string) – the transactionid Returns dict about the token Return type { ‘result’ = ok ‘failcount’ = int(failcount) }
usergetSerialByOtp(*args, **kwds) method: selfservice/usergetSerialByOtp
description: searches for the token, that generates the given OTP value. The search can be restricted by several critterions This method only searches tokens in the realm of the user and tokens that are not assigned!
82 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
arguments: otp - required. Will search for the token, that produces this OTP value type - optional, will only search in tokens of type returns: a json result with the serial exception: if an error occurs an exception is serialized and returned
usergetmultiotp(*args, **kwds) Using this function the user may receive OTP values for his own tokens. method: selfservice/getmultiotp arguments: serial - the serial number of the token count - number of otp values to return curTime - used ONLY for internal testing: datetime.datetime object returns: JSON response userhistory(*args, **kwds) This returns the list of the tokenactions of this user It returns the audit information for the given search pattern method: selfservice/userhistory arguments: key, value pairs as search patterns. or: Usually the key=values will be locally AND concatenated. it a parameter or=true is passed, the filters will be OR concatenated. The Flexigrid provides us the following parameters: (‘page’, u‘1’), (‘rp’, u‘100’), (‘sortname’, u’number’), (‘sortorder’, u’asc’), (‘query’, u’‘), (‘qtype’, u’serial’)] returns: JSON response userinit(*args, **kwds) When the register motp button is hit, this function is called. userreset(*args, **kwds) This internally resets the failcounter of the given token. userresync(*args, **kwds) This is the internal resync function that is called from within the self service portal usersetmpin(*args, **kwds) When the user hits the set pin button, this function is called. usersetpin(*args, **kwds) When the user hits the set pin button, this function is called. usertokenlist() This returns a tokenlist as html output userunassign(*args, **kwds) This is the internal unassign function that is called from within the self service portal. The user is only allowed to unassign token, that belong to him. userwebprovision(*args, **kwds) This function is called, when the create OATHtoken button is hit. This is used for web provisioning. See: http://code.google.com/p/oathtoken/wiki/WebProvisioning and http://code.google.com/p/google-authenticator/wiki/KeyUriFormat
in param: type: valid values are “oathtoken” and “googleauthenticator” and “googleauthenticator_time”
13.3. Controllers 83 privacyIDEA Documentation, Release 1.4
It returns the data and the URL containing the HMAC key webprovisiongoogletoken() This is the form for an google token to do web provisioning. webprovisionoathtoken() This is the form for an oathtoken to do web provisioning.
13.3.5 Validate Controller class privacyidea.controllers.admin.AdminController(*args, **kw) The privacyidea.controllers are the implementation of the web-API to talk to the privacyIDEA server. The Ad- minController is used for administrative tasks like adding tokens to privacyIDEA, assigning tokens or revoking tokens. The functions of the AdminController are invoked like this https://server/admin/
Parameters • transactionid/state – the transaction id of the challenge • serial – serial number of the token - will show all challenges
84 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
• user – Returns json result of token and challenges
copyTokenPin(*args, **kwds) method: admin/copyTokenPin description: copies the token pin from one token to another arguments: • from - required - serial of token from • to - required - serial of token to returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned copyTokenUser(*args, **kwds) method: admin/copyTokenUser description: copies the token user from one token to another arguments: • from - required - serial of token from • to - required - serial of token to returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned disable(*args, **kwds) method: admin/disable description: disables a token given by serial or all tokens of a user arguments: • serial - optional • user - optional returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned enable(*args, **kwds) method: admin/enable description: enables a token or all tokens of a user arguments: • serial - optional • user - optional returns:
13.3. Controllers 85 privacyIDEA Documentation, Release 1.4
a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned getSerialByOtp(*args, **kwds) method: admin/getSerialByOtp description: searches for the token, that generates the given OTP value. The search can be restricted by several critterions arguments: • otp - required. Will search for the token, that produces this OTP value • type - optional, will only search in tokens of type • realm - optional, only search in this realm • assigned - optional. 1: only search assigned tokens, 0: only search unassigned tokens returns: a json result with the serial exception: if an error occurs an exception is serialized and returned init(*args, **kwds) method: admin/init description: creates a new token. arguments: • otpkey - required - the hmac Key of the token • genkey - required - =1, if key should be generated. We either need otpkey or genkey • keysize - optional - either 20 or 32. Default is 20 • serial - required - the serial number/identifier of the token • description - optional • pin - optional - the pin of the user pass • user - optional - login user name • realm - optional - realm of the user • type - optional - the type of the token • tokenrealm - optional - the realm a token should be put into • otplen - optional - length of the OTP value • hashlib - optional - used hashlib sha1 oder sha256 ocra arguments: for generating OCRA Tokens type=ocra you can specify the following parameters:
• ocrasuite - optional - if you do not want to use the default ocra suite OCRA-1:HOTP- SHA256-8:QA64 • sharedsecret - optional - if you are in Step0 of enrolling an OCRA/QR token the sharedsecret=1 specifies, that you want to generate a shared secret
86 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
• activationcode - optional - if you are in Step1 of enrolling an OCRA token you need to pass the activation code, that was generated in the QRTAN-App
returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned loadtokens(*args, **kwds) method: admin/loadtokens description: loads a whole token file to the server arguments: • file - the file in a post request • type - the file type. returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned losttoken(*args, **kwds) method: admin/losttoken description: creates a new password token and copies the PIN and the user of the old token to the new token. The old token is disabled. arguments: • serial - serial of the old token returns: a json result with the new serial an the password exception: if an error occurs an exception is serialized and returned remove(*args, **kwds) method: admin/remove description: deletes either a certain token given by serial or all tokens of a user arguments: • serial - optional • user - optional returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned reset(*args, **kwds) method: admin/reset description: reset the FailCounter of a Token arguments: user or serial - to identify the tokens
13.3. Controllers 87 privacyIDEA Documentation, Release 1.4
returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned resync(*args, **kwds) method: admin/resync - resync a token to a new counter description: this function resync the token, if the counter on server side is out of sync with the physical token. arguments: • serial - serial or user required • user - s.o. • otp1 - the next otp to be found • otp2 - the next otp after the otp1 returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned set(*args, **kwds) method: admin/set description: this function is used to set many different values of a token. arguments: • serial - optional • user - optional • pin - optional - set OTP PIN • MaxFailCount - optional - set maximum fail counter of a token • SyncWindow - optional - set synchronization window of a token • OtpLen - optional - set OTP Lenght of the token • CounterWindow - optional - set counter window (blank presses) • hashlib - optioanl - set hashing algo for HMAC tokens. This can be sha1, sha256, sha512 • timeWindow - optional - set synchronize window for timebased tokens (in seconds) • timeStep - optional - set timestep for timebased tokens (usually 30 or 60 seconds) • timeShift - optional - set shift or timedrift of this token • countAuthSuccessMax - optional - set maximum allowed successful authentications • countAuthSuccess - optional - set counter of the successful authentications • countAuth - optional - set counter of authentications • countAuthMax - optional - set maximum allowed authentication tries • validityPeriodStart - optional - set start date of the validity period. The token can not be used before this date
88 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
• validityPeriodEnd - optional - set end date of the validaity period. The token can not be used after this date • phone - set the phone number for an SMS token returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned setPin(*args, **kwds) method: admin/set description: This function sets the smartcard PINs of a eTokenNG OTP. The userpin is used to store the mOTP PIN of mOTP tokens! !!! For setting the OTP PIN, use the function /admin/set! arguments: • serial - required • userpin - optional: store the userpin • sopin - optional: store the sopin returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned show(*args, **kwds) method: admin/show description: displays the list of the available tokens arguments: • serial - optional: only this serial will be displayed • user - optional: only the tokens of this user will be displayed. If the user does not exist, priva- cyidea will search tokens of users, who contain this substring. TODO: This can be very time consuming and will be changed in the next release to use wild- cards. • filter - optional: takes a substring to search in table token columns • viewrealm - optional: takes a realm, only the tokens in this realm will be displayed • sortby - optional: sort the output by column • sortdir - optional: asc/desc • page - optional: reqeuest a certain page • pagesize- optional: limit the number of returned tokens • user_fields - optional: additional user fields from the userid resolver of the owner (user) • outform - optional: if set to “csv”, than the token list will be given in CSV returns: a json result with: { “head”: [], “data”: [ [row1], [row2] .. ] } exception: if an error occurs an exception is serialized and returned testresolver(*args, **kwds)
13.3. Controllers 89 privacyIDEA Documentation, Release 1.4
method: admin/testresolver description: This method tests a useridresolvers configuration arguments: • type - “LDAP”: depending on the type there are other parameters: – “SQL” • LDAP: – BINDDN – BINDPW – LDAPURI – TIMEOUT – LDAPBASE – LOGINNAMEATTRIBUTE – LDAPSEARCHFILTER – LDAPFILTER – USERINFO – LDAPSEARCHFILTER – SIZELIMIT – NOREFERRALS – CACERTIFICATE • SQL: – Driver – Server – Port – Database – User – Password – Table • SCIM: – Authserver – Resourceserver – Client – Secret – Map returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned
90 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
tokenrealm(*args, **kwds) method: admin/tokenrealm - set the realms a token belongs to description: sets the realms of a token arguments: • serial - required - serialnumber of the token • realms - required - comma seperated list of realms unassign(*args, **kwds) method: admin/unassign - remove the assigned user from the token description: unassigns a token from a user. i.e. the binding between the token and the user is removed arguments: • serial - required - the serial number/identifier of the token • user - optional returns: a json result with a boolean “result”: true exception: if an error occurs an exception is serialized and returned userlist(*args, **kwds) method: admin/userlist - list all users description: lists the user in a realm arguments: •
13.3.6 Audit Controller class privacyidea.controllers.audit.AuditController(*args, **kw) this is the controller for doing some audit stuff https://server/audit/
or: Usually the key=values will be locally AND concatenated. it a parameter or=true is passed, the filters will be OR concatenated.
13.3. Controllers 91 privacyIDEA Documentation, Release 1.4
The Flexigrid provides us the following parameters: (‘page’, u‘1’), (‘rp’, u‘100’), (‘sortname’, u’number’), (‘sortorder’, u’asc’), (‘query’, u’‘), (‘qtype’, u’serial’)]
returns: JSON response or csv format
13.3.7 OCRA Controller class privacyidea.controllers.ocra.OcraController(*args, **kw) The OcraController implements challenges/response tokens according to RFC 6287 calculateOtp(*args, **kwds) check_t(*args, **kwds) method: orcra/check_t description: verify the response of the ocra token arguments: • transactionid: (required - string) Dies ist eine Transaktions-ID, die bei der Challenge aus- gegeben wurde. • pass: (required - string) die response, die der OCRA Token auf Grund der Challenge berechnet hat returns: A JSON response:
{ "version":"privacyIDEA 2.4", "jsonrpc":"2.0", "result":{ "status": true, "value":{ "failcount":3, "result": false } }, "id":0 }
exception: checkstatus(*args, **kwds) method: orcra/checkstatus description: Methode zur assynchronen Ueberpruefungen eines Challenge Response Valiadation requests arguments: •transactionid: (required one of - string - (hex)) Dies ist eine Transaktions-ID, die bei der Challenge ausgegeben wurde. •serial: (required one of - string) die Serien Nummer des OCRA Token •user: (required one of - string) die Benutzer eines Tokens required is one of (user,serial,transactionid) returns:
92 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
A JSON response:
{ "version":"privacyIDEA 2.4", "jsonrpc":"2.0", "result":{ "status": true, "value":[ { "serial": SERIENNUMMER1, "transactionid": TRANSACTIONID1, "received_tan": true, "valid_tan": true, "failcount":0 }, { "serial": SERIENNUMMER1, "transactionid": TRANSACTIONID2, "received_tan": false, "valid_tan": false, "failcount":0 }, { "serial": SERIENNUMMER2, "transactionid": TRANSACTIONID3, "received_tan": true, "valid_tan": false, "failcount":2 }, ] }, "id":0 }
exception: getActivationCode(*args, **kwds) method: orcra/getActivationCode description: returns an valid example activcation code arguments: ./. returns: JSON with “activationcode”: “JZXW4ZI=2A” request(*args, **kwds) method: orcra/request description: request a challenge for a user or for a serial number (token). arguments: • serial: (required - string) Serial number of the token, for which a challenge should be generated (either serial or user is required) • user: (required - string) The user for whose token a challenge should be generated If the user has more than one token, an error is returend. (either serial or user is required) • data: (required - String: URLendoced) These are the display data, that can be used to generate the challenge
13.3. Controllers 93 privacyIDEA Documentation, Release 1.4
remark: the app will report a wrong qrcode, if the policy {‘authentication’ : qrtanurl=https://localhost } is not defined !! returns: A JSON respone:
{ "version":"privacyIDEA 2.4", "jsonrpc":"2.0", "result":{ "status": true, "value": false, }, "detail":{ "transactionid" : TRANSAKTIONSID, "data" : DATAOBJECT, } }
•transactionid: This is the transaction ID, that is used later for verifying the Return code /TAN. •data: This is an object (URL) which can be used to generate a QR-Coide to be displayed to the QRTAN App
exception:
13.3.8 Gettoken Controller class privacyidea.controllers.gettoken.GettokenController(*args, **kw) The privacyidea.controllers are the implementation of the web-API to talk to the privacyIDEA server. The ValidateController is used to validate the username with its given OTP value. The Tagespasswort Token uses this controller to retrieve the current OTP value of the Token and be able to set it in the application The functions of the GettokenController are invoked like this https://server/gettoken/
Parameters • serial – the serial number of the token • count – number of otp values to return • curTime (datetime object) – ONLY for internal testing: datetime.datetime object • timestamp (int) – the unix time Returns JSON response
94 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
getotp(*args, **kwds) This function is used to retrieve the current otp value for a given user or a given serial If the user has more than one token, the list of the tokens is returned. method: gettoken/getotp arguments: user - username / loginname realm - additional realm to match the user to a useridresolver serial - the serial number of the token curTime - used ONY for internal testing: datetime.datetime object returns: JSON response
13.4 library functions
The lib module holds many low level functions. These functions are also called by the controllers.
13.4.1 Policy Class class privacyidea.lib.policy.PolicyClass(request, config, templ_context, privacyIDEA- Config, tokenrealms=[], tokentype=None, to- ken_type_list=None) This class is used to check policies. The contstructor takes all arguments so that the policy logic in itself does not need to access any pylons functions.
checkOTPPINPolicy(*args, **kwds) This function checks the given PIN (OTP PIN) against the policy returned by the function getOTPPINPolicy It returns a dictionary: {‘success’: True/False, ‘error’: errortext} At the moment this works for the selfservice portal checkPolicyPost(*args, **kwds) This function will check policies after a successful action in a controller. E.g. this can be setting a random PIN after successfully enrolling a token. Parameters • controller – the controller context • method – the calling action • param – This is a dictionary with the necessary parameters. • auth_user – This is the authenticated user. For the selfservice this will be the user in the selfservice portal, for admin or manage it will be the administrator Returns It returns a dictionary with the necessary results. These depend on the controller. checkPolicyPre(*args, **kwds) This function will check for all policy definition for a certain controller/method It is run directly before doing the action in the controller. I will raise an exception, if it fails. Parameters • param (dict) – This is a dictionary with the necessary parameters.
13.4. library functions 95 privacyIDEA Documentation, Release 1.4
• options (dict) – additional options Returns dictionary with the necessary results. These depend on the controller. check_auth_serial(*args, **kwds) Checks if the token with the serial number matches the serial authorize policy scope=authorizaion, ac- tion=serial Parameters • serial (string) – The serial number of the token to check • exception (boolean) – If “True” an exception is raised instead of returning False • user (User object) – User to narrow down the policy Returns result Return type boolean check_auth_tokentype(*args, **kwds) Checks if the token type of the given serial matches the tokentype policy Returns True/False - returns true or false or raises an exception if exception=True check_user_authorization(*args, **kwds) check if the given user/realm is in the given policy. The realm may contain the wildcard ‘*’, then the policy holds for all realms. If no username or ‘*’ is given, the policy holds for all users. attributes: login - loginname of the user realm - realm of the user exception - wether it should return True/False or raise an Exception classmethod create_policy_export_file(*args, **kwds) This function takes a policy dictionary and creates an export file from it getAdminPolicies(*args, **kwds) This internal function returns the admin policies (of scope=admin) for the currently authenticated admin- istrativ user.__builtins__ Parameters • action – this is the action (like enable, disable, init...) • lowerRealms – if set to True, the list of realms returned will be lower case. Returns a dictionary with the following keys: active (if policies are used) realms (the realms, in which the admin is allowed to do this action) resolvers (the resolvers in which the admin is allowed to perform this action) admin (the name of the authenticated admin user) getAuthorization(*args, **kwds) This internal function returns the Authorization within some scope=license or the scope=system. for the currently authenticated administrativ user. This does not take into account the REALMS! arguments: action - this is the action scope = license setlicense scope = system read write
96 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
returns: a dictionary with the following keys: active (if policies are used) admin (the name of the authen- ticated admin user) auth (True if admin is authorized for this action) getOTPPINEncrypt(*args, **kwds) This function returns, if the otppin should be stored as an encrpyted value getOTPPINPolicies(*args, **kwds) This internal function returns the PIN policies for a realm. These policies can either be in the scope “selfservice” or “admin” The policy define when resettng an OTP PIN: •what should be the length of the otp pin •what should be the contents of the otp pin by the actions: otp_pin_minlength = otp_pin_maxlength = otp_pin_contents = [cns] (character, number, spe- cial character)
Returns dictionary like {contents: “cns”, min: 7, max: 10}
getPolicy(*args, **kwds) Function to retrieve the list of policies. attributes: name: (optional) will only return the policy with the name user: (optional) will only return the policies for this user realm: (optional) will only return the policies of this realm scope: (optional) will only return the policies within this scope action: (optional) will only return the policies with this action The action can also be something like “otppin” and will return policies containing “otppin = 2” returns: a dictionary with the policies. The name of the policy being the key getPolicyActionValue(*args, **kwds) This function retrieves the int value of an action from a list of policies input policies: list of policies as returned from config.getPolicy This is a list of dictionaries action: an action, to be searched max: if True, it will return the highest value, if there are multiple policies if False, it will return the lowest value, if there are multiple policies String: if True, the value is a string and not an integer pol10: { * action: “maxtoken = 10” * scope: “enrollment” * realm: “realm1” * user: “” * time: “” } getRandomOTPPINLength(*args, **kwds) This internal function returns the length of the random otp pin that is define in policy scope = enrollment, action = otp_pin_random = 111 getSelfserviceActions(*args, **kwds) This function returns the allowed actions in the self service portal for the given user get_auth_AutoSMSPolicy(*args, **kwds) Returns true, if the autosms policy is set in one of the realms return: True or False input: list of realms get_auth_PinPolicy(*args, **kwds) Returns the PIN policy, that defines, how the OTP PIN is to be verified within the given realm
13.4. library functions 97 privacyIDEA Documentation, Release 1.4
return: 0 - verify against fixed OTP PIN 1 - verify the password component against the UserResolver (LPAP Password etc.) 2 - verify no OTP PIN at all! Only OTP value! The policy is defined via scope : authentication realm : .... action: otppin=0/1/2 client: IP user : some user get_auth_challenge_response(*args, **kwds) returns True, if the user in this realm with this token type should be authenticated via Challenge Response Parameters • user – the user object • ttype – the type of the token Returns bool get_auth_passOnNoToken(*args, **kwds) returns True, if the user in this realm should be always authenticated in case the user has no tokens assigned. get_auth_passthru(*args, **kwds) returns True, if the user in this realm should be authenticated against the UserIdResolver in case the user has no tokens assigned. get_auth_smstext(*args, **kwds) this function checks the policy scope=authentication, action=smstext This is a string policy The function returns the tuple (bool, string), bool: If a policy is defined string: the string to use get_autoassignment(*args, **kwds) this function checks the policy scope=enrollment, action=autoassignment This is a boolean policy. The function returns true, if autoassignment is defined. get_c() returns the modified template context get_client_policy(*args, **kwds) This function returns the dictionary of policies for the given client. 1. First it searches for all policies matching (scope, action, realm) and checks, whether the given client is contained in the policy field client. If no policy for the given client is found it takes the policy without a client 2. Then it strips down the returnable policies to those, that only contain the username - UNLESS - none of the above policies contains a username 3.then we try to find resolvers in the username (OPTIONAL) get_machine_manage_policies(*args, **kwds) Return the machine manage policies Returns dictionary with the polcies for this administrator Todo: Also take care of realms... get_pin_policies(*args, **kwds) lookup for the pin policies - the list of policies is preserved for repeated lookups : raises: exception, if more then one pin policies are matching Parameters user – the policies which are applicable to the user
98 Chapter 13. The code documentaton privacyIDEA Documentation, Release 1.4
Returns list of otppin id’s get_qrtan_url(*args, **kwds) Returns the URL for the half automatic mode for the QR TAN token for the given realm Returns url string get_tokenlabel(*args, **kwds) This internal function returns the naming of the token as defined in policy scope = enrollment, action = tokenname = : token serial This function is used by the creation of googleauthenticator url ignore_autoassignment_pin(*args, **kwds) This function checks the policy scope=enrollment, action=ignore_autoassignment_pin This is a boolean policy. The function returns true, if the password used in the autoassignment should not be set as token pin. is_auth_return(*args, **kwds) returns True if the policy scope = authorization action = detail_on_success/detail_on_fail is set.
Parameters success (bool) – Defines if we should check of the policy detaul_on_success (True) or detail_on_fail (False)
is_auth_selfservice_otp(*args, **kwds) check the policy scope:selfservice, action:auth=otp Parameters • username – The username who logs in to selfservice • realm – The realm of the user, who logs in to selfserivce Returns If the user should authenticate with OTP Return type boolean set_realm(*args, **kwds) this function reads the policy scope: authorization, client: x.y.z, action: setrealm=new_realm and over- writes the existing realm of the user with the new_realm. This can be used, if the client is not able to pass a realm and the users are not be located in the default realm. returns: realm - name of the new realm taken from the policy
13.4.2 Application Class class privacyidea.lib.applications.MachineApplicationBase
application_name = ‘base’ If bulk_call is false, the administrator may only retrieve authentication items for the very host he is starting the request. get_authentication_item(token_type, serial, challenge=None) returns a dictionary of authentication items like public keys, challenges, responses... classmethod get_name() returns the identifying name of this application class
13.4. library functions 99 privacyIDEA Documentation, Release 1.4
get_options() returns a dictionary with a list of required and optional options
100 Chapter 13. The code documentaton CHAPTER FOURTEEN
INDICES AND TABLES
• genindex • modindex • search
101 privacyIDEA Documentation, Release 1.4
102 Chapter 14. Indices and tables PYTHON MODULE INDEX
p privacyidea.controllers, 68 privacyidea.lib, 95 privacyidea.lib.auditmodules, 67 privacyidea.lib.resolvers, 63
103 privacyIDEA Documentation, Release 1.4
104 Python Module Index INDEX
A check_auth_tokentype() (priva- activateqrtoken() (priva- cyidea.lib.policy.PolicyClass method), 96 cyidea.controllers.selfservice.SelfserviceControllercheck_serial() (privacyidea.controllers.admin.AdminController method), 80 method), 68, 84 Active Directory, 15, 16 check_t() (privacyidea.controllers.ocra.OcraController admin policies, 35 method), 92 AdminController (class in privacyidea.controllers.admin), check_user_authorization() (priva- 68, 84 cyidea.lib.policy.PolicyClass method), 96 appliance,5 checkOTPPINPolicy() (priva- application_name (priva- cyidea.lib.policy.PolicyClass method), 95 cyidea.lib.applications.MachineApplicationBase checkPass() (privacyidea.lib.resolvers.LDAPIdResolver.IdResolver attribute), 99 method), 65 assign() (privacyidea.controllers.admin.AdminController checkPass() (privacyidea.lib.resolvers.PasswdIdResolver.IdResolver method), 68, 84 method), 64 assign() (privacyidea.controllers.selfservice.SelfserviceControllercheckPass() (privacyidea.lib.resolvers.UserIdResolver.UserIdResolver method), 80 method), 63 audit,9 checkPolicy() (privacyidea.controllers.system.SystemController Audit (class in privacyidea.lib.auditmodules.sqlaudit), 67 method), 76 audit modules, 67 checkPolicyPost() (privacyidea.lib.policy.PolicyClass audit policies, 49 method), 95 audit_entry_to_dict() (privacyidea.lib.audit.AuditBase checkPolicyPre() (privacyidea.lib.policy.PolicyClass method), 67 method), 95 AuditBase (class in privacyidea.lib.audit), 67 checkstatus() (privacyidea.controllers.admin.AdminController AuditController (class in privacyidea.controllers.audit), method), 69, 84 91 checkstatus() (privacyidea.controllers.ocra.OcraController authenticating client, 21 method), 92 authentication policies, 46 checkUserId() (privacyidea.lib.resolvers.PasswdIdResolver.IdResolver authorization policies, 48 method), 64 autoassignment, 45 checkUserName() (priva- autoresync, 21 cyidea.lib.resolvers.PasswdIdResolver.IdResolver method), 64 B Clickatel, 22 client, 21 BaseController (class in privacyidea.lib.base), 68 client machines, 55 before_identity_check() (priva- client policies, 40 cyidea.lib.base.BaseController method), close() (privacyidea.lib.resolvers.PasswdIdResolver.IdResolver 68 method), 64 C close() (privacyidea.lib.resolvers.UserIdResolver.UserIdResolver method), 63 calculateOtp() (privacyidea.controllers.ocra.OcraController configuration, 15 method), 92 controllers, 68 check_auth_serial() (privacyidea.lib.policy.PolicyClass method), 96
105 privacyIDEA Documentation, Release 1.4 copyTokenPin() (priva- get_auth_PinPolicy() (privacyidea.lib.policy.PolicyClass cyidea.controllers.admin.AdminController method), 97 method), 69, 85 get_auth_smstext() (privacyidea.lib.policy.PolicyClass copyTokenUser() (priva- method), 98 cyidea.controllers.admin.AdminController get_authentication_item() (priva- method), 69, 85 cyidea.lib.applications.MachineApplicationBase count window, 27 method), 99 create_policy_export_file() (priva- get_autoassignment() (privacyidea.lib.policy.PolicyClass cyidea.lib.policy.PolicyClass class method), method), 98 96 get_c() (privacyidea.lib.policy.PolicyClass method), 98 custom_style() (privacyidea.controllers.selfservice.SelfserviceControllerget_client_policy() (privacyidea.lib.policy.PolicyClass method), 80 method), 98 get_machine_manage_policies() (priva- D cyidea.lib.policy.PolicyClass method), 98 DB2, 16 get_name() (privacyidea.lib.applications.MachineApplicationBase default realm, 19 class method), 99 delConfig() (privacyidea.controllers.system.SystemControllerget_options() (privacyidea.lib.applications.MachineApplicationBase method), 76 method), 99 delete() (privacyidea.controllers.selfservice.SelfserviceControllerget_pin_policies() (privacyidea.lib.policy.PolicyClass method), 80 method), 98 delPolicy() (privacyidea.controllers.system.SystemControllerget_qrtan_url() (privacyidea.lib.policy.PolicyClass method), 76 method), 99 delRealm() (privacyidea.controllers.system.SystemControllerget_tokenlabel() (privacyidea.lib.policy.PolicyClass method), 76 method), 99 delResolver() (privacyidea.controllers.system.SystemControllergetActivationCode() (priva- method), 77 cyidea.controllers.ocra.OcraController disable() (privacyidea.controllers.admin.AdminController method), 93 method), 69, 85 getAdminPolicies() (privacyidea.lib.policy.PolicyClass disable() (privacyidea.controllers.selfservice.SelfserviceController method), 96 method), 80 getAuthorization() (privacyidea.lib.policy.PolicyClass method), 96 E getConfig() (privacyidea.controllers.system.SystemController enable() (privacyidea.controllers.admin.AdminController method), 77 method), 70, 85 getDefaultRealm() (priva- enable() (privacyidea.controllers.selfservice.SelfserviceController cyidea.controllers.system.SystemController method), 81 method), 77 enroll token, 30 getmultiotp() (privacyidea.controllers.gettoken.GettokenController enrollment policies, 44 method), 94 getotp() (privacyidea.controllers.gettoken.GettokenController F method), 95 getotp() (privacyidea.controllers.selfservice.SelfserviceController failcount, 27 method), 81 flatfile resolver, 15 getOTPPINEncrypt() (privacyidea.lib.policy.PolicyClass FreeIPA, 16 method), 97 G getOTPPINPolicies() (privacyidea.lib.policy.PolicyClass method), 97 get_auth_AutoSMSPolicy() (priva- getPolicy() (privacyidea.controllers.system.SystemController cyidea.lib.policy.PolicyClass method), 97 method), 77 get_auth_challenge_response() (priva- getPolicy() (privacyidea.lib.policy.PolicyClass method), cyidea.lib.policy.PolicyClass method), 98 97 get_auth_passOnNoToken() (priva- getPolicyActionValue() (priva- cyidea.lib.policy.PolicyClass method), 98 cyidea.lib.policy.PolicyClass method), 97 get_auth_passthru() (privacyidea.lib.policy.PolicyClass getPolicyDef() (privacyidea.controllers.system.SystemController method), 98 method), 77
106 Index privacyIDEA Documentation, Release 1.4 getRandomOTPPINLength() (priva- getUserInfo() (privacyidea.lib.resolvers.UserIdResolver.UserIdResolver cyidea.lib.policy.PolicyClass method), 97 method), 64 getRealms() (privacyidea.controllers.system.SystemControllergetUserList() (privacyidea.lib.resolvers.LDAPIdResolver.IdResolver method), 78 method), 66 getResolver() (privacyidea.controllers.system.SystemControllergetUserList() (privacyidea.lib.resolvers.PasswdIdResolver.IdResolver method), 78 method), 65 getResolverClassDescriptor() (priva- getUserList() (privacyidea.lib.resolvers.UserIdResolver.UserIdResolver cyidea.lib.resolvers.PasswdIdResolver.IdResolver method), 64 class method), 64 getUsername() (privacyidea.lib.resolvers.LDAPIdResolver.IdResolver getResolverClassDescriptor() (priva- method), 66 cyidea.lib.resolvers.UserIdResolver.UserIdResolvergetUsername() (privacyidea.lib.resolvers.PasswdIdResolver.IdResolver class method), 63 method), 65 getResolverClassType() (priva- getUsername() (privacyidea.lib.resolvers.UserIdResolver.UserIdResolver cyidea.lib.resolvers.UserIdResolver.UserIdResolver method), 64 class method), 63 getResolverDescriptor() (priva- H cyidea.lib.resolvers.UserIdResolver.UserIdResolverhistory() (privacyidea.controllers.selfservice.SelfserviceController method), 63 method), 81 getResolverId() (privacyidea.lib.resolvers.LDAPIdResolver.IdResolver method), 65 I getResolverId() (privacyidea.lib.resolvers.PasswdIdResolver.IdResolverIdResolver (class in priva- method), 64 cyidea.lib.resolvers.LDAPIdResolver), 65 getResolverId() (privacyidea.lib.resolvers.UserIdResolver.UserIdResolverIdResolver (class in priva- method), 63 cyidea.lib.resolvers.PasswdIdResolver), 64 getResolvers() (privacyidea.controllers.system.SystemControllerignore_autoassignment_pin() (priva- method), 78 cyidea.lib.policy.PolicyClass method), 99 getResolverType() (priva- import, 61 cyidea.lib.resolvers.UserIdResolver.UserIdResolverimportPolicy() (privacyidea.controllers.system.SystemController method), 63 method), 78 getSearchFields() (priva- index() (privacyidea.controllers.selfservice.SelfserviceController cyidea.lib.resolvers.PasswdIdResolver.IdResolver method), 81 method), 64 init file,9 getSelfserviceActions() (priva- init() (privacyidea.controllers.admin.AdminController cyidea.lib.policy.PolicyClass method), 97 method), 70, 86 getserial, 37 initialize_log() (privacyidea.lib.audit.AuditBase method), getSerialByOtp() (priva- 67 cyidea.controllers.admin.AdminController is_auth_return() (privacyidea.lib.policy.PolicyClass method), 70, 86 method), 99 gettoken policies, 51 is_auth_selfservice_otp() (priva- GettokenController (class in priva- cyidea.lib.policy.PolicyClass method), 99 cyidea.controllers.gettoken), 94 getTotal() (privacyidea.lib.audit.AuditBase method), 67 L getTotal() (privacyidea.lib.auditmodules.sqlaudit.Audit LDAP, 15 method), 67 LDAP resolver, 16 getUserId() (privacyidea.lib.resolvers.LDAPIdResolver.IdResolver library, 95 method), 65 load_form() (privacyidea.controllers.selfservice.SelfserviceController getUserId() (privacyidea.lib.resolvers.PasswdIdResolver.IdResolver method), 81 method), 65 loadConfig() (privacyidea.lib.resolvers.LDAPIdResolver.IdResolver getUserId() (privacyidea.lib.resolvers.UserIdResolver.UserIdResolver method), 66 method), 63 loadConfig() (privacyidea.lib.resolvers.PasswdIdResolver.IdResolver getUserInfo() (privacyidea.lib.resolvers.LDAPIdResolver.IdResolver method), 65 method), 65 loadFile() (privacyidea.lib.resolvers.PasswdIdResolver.IdResolver getUserInfo() (privacyidea.lib.resolvers.PasswdIdResolver.IdResolver method), 65 method), 65
Index 107 privacyIDEA Documentation, Release 1.4 loadtokens() (privacyidea.controllers.admin.AdminControllerrealm autocreation, 20 method), 71, 87 realm edit, 20 log() (privacyidea.lib.audit.AuditBase method), 67 realms, 19 log() (privacyidea.lib.auditmodules.sqlaudit.Audit remove() (privacyidea.controllers.admin.AdminController method), 67 method), 71, 87 Logging, 11 request() (privacyidea.controllers.ocra.OcraController Lost token, 27 method), 93 lost token, 46 reset() (privacyidea.controllers.admin.AdminController losttoken() (privacyidea.controllers.admin.AdminController method), 72, 87 method), 71, 87 reset() (privacyidea.controllers.selfservice.SelfserviceController method), 81 M resync token, 29 machine policies, 49 resync() (privacyidea.controllers.admin.AdminController MachineApplicationBase (class in priva- method), 72, 88 cyidea.lib.applications), 99 resync() (privacyidea.controllers.selfservice.SelfserviceController machines, 55 method), 81 maxfail, 27 MySQL, 16 S SCIM resolver, 19 N scope, 35 Novell eDirectory, 16 search() (privacyidea.controllers.audit.AuditController method), 91 O search() (privacyidea.lib.audit.AuditBase method), 67 OCRA policies, 50 search() (privacyidea.lib.auditmodules.sqlaudit.Audit OcraController (class in privacyidea.controllers.ocra), 92 method), 67 OpenLDAP, 16 searchQuery() (privacyidea.lib.audit.AuditBase method), Oracle, 16 67 OTP length, 29 searchQuery() (privacyidea.lib.auditmodules.sqlaudit.Audit OTP list, 10 method), 67 out of sync, 29 selfservice policies, 40 override client, 21 SelfserviceController (class in priva- overview,3 cyidea.controllers.selfservice), 80 set() (privacyidea.controllers.admin.AdminController P method), 72, 88 set() (privacyidea.lib.audit.AuditBase method), 67 pass on user no token, 21 set_language() (privacyidea.lib.base.BaseController pass on user not found, 21 method), 68 passOnNoToken, 47 set_realm() (privacyidea.lib.policy.PolicyClass method), passthru, 47 99 Penrose, 16 setConfig() (privacyidea.controllers.system.SystemController pip install,5 method), 78 policies, 35 setDefault() (privacyidea.controllers.system.SystemController policies_flexi() (privacyidea.controllers.system.SystemController method), 79 method), 78 setDefaultRealm() (priva- PolicyClass (class in privacyidea.lib.policy), 95 cyidea.controllers.system.SystemController PostgreSQL, 16 method), 79 printed OTP list, 10 setmpin() (privacyidea.controllers.selfservice.SelfserviceController privacyidea.controllers (module), 68 method), 81 privacyidea.lib (module), 95 setPin() (privacyidea.controllers.admin.AdminController privacyidea.lib.auditmodules (module), 67 method), 73, 89 privacyidea.lib.resolvers (module), 63 setpin() (privacyidea.controllers.selfservice.SelfserviceController R method), 81 setPolicy() (privacyidea.controllers.system.SystemController realm administrator, 37 method), 79
108 Index privacyIDEA Documentation, Release 1.4 setRealm() (privacyidea.controllers.system.SystemControlleruserenable() (privacyidea.controllers.selfservice.SelfserviceController method), 80 method), 82 setResolver() (privacyidea.controllers.system.SystemControlleruserfinshocra2token() (priva- method), 80 cyidea.controllers.selfservice.SelfserviceController setup() (privacyidea.lib.resolvers.LDAPIdResolver.IdResolver method), 82 class method), 66 userfinshocratoken() (priva- setup() (privacyidea.lib.resolvers.PasswdIdResolver.IdResolver cyidea.controllers.selfservice.SelfserviceController class method), 65 method), 82 show() (privacyidea.controllers.admin.AdminController usergetmultiotp() (priva- method), 73, 89 cyidea.controllers.selfservice.SelfserviceController Sipgate, 22 method), 83 SMS Gateway, 22 usergetSerialByOtp() (priva- SMS token, 22 cyidea.controllers.selfservice.SelfserviceController SQL resolver, 16 method), 82 sqlite, 16 userhistory() (privacyidea.controllers.selfservice.SelfserviceController syncwindow, 29 method), 83 system config, 20 UserIdResolver (class in priva- system policies, 39 cyidea.lib.resolvers.UserIdResolver), 63 SystemController (class in priva- useridresolvers, 15, 63 cyidea.controllers.system), 76 userinit() (privacyidea.controllers.selfservice.SelfserviceController method), 83 T userlist() (privacyidea.controllers.admin.AdminController testconnection() (priva- method), 75, 91 cyidea.lib.resolvers.LDAPIdResolver.IdResolver userreset() (privacyidea.controllers.selfservice.SelfserviceController class method), 66 method), 83 testresolver() (privacyidea.controllers.admin.AdminControlleruserresync() (privacyidea.controllers.selfservice.SelfserviceController method), 74, 89 method), 83 token,3 usersetmpin() (privacyidea.controllers.selfservice.SelfserviceController token configuration, 22 method), 83 token default settings, 20 usersetpin() (privacyidea.controllers.selfservice.SelfserviceController token description, 27 method), 83 token_call() (privacyidea.controllers.selfservice.SelfserviceControllerusertokenlist() (privacyidea.controllers.selfservice.SelfserviceController method), 81 method), 83 tokenrealm() (privacyidea.controllers.admin.AdminControlleruserunassign() (privacyidea.controllers.selfservice.SelfserviceController method), 75, 90 method), 83 tokenview, 27 userview, 33 tools, 59 userwebprovision() (priva- cyidea.controllers.selfservice.SelfserviceController U method), 83 ubuntu,5 unassign() (privacyidea.controllers.admin.AdminController V method), 75, 91 virtual environment,5 unassign() (privacyidea.controllers.selfservice.SelfserviceController method), 81 W useractivateocratoken() (priva- webprovisiongoogletoken() (priva- cyidea.controllers.selfservice.SelfserviceController cyidea.controllers.selfservice.SelfserviceController method), 81 method), 84 userassign() (privacyidea.controllers.selfservice.SelfserviceControllerwebprovisionoathtoken() (priva- method), 82 cyidea.controllers.selfservice.SelfserviceController userdelete() (privacyidea.controllers.selfservice.SelfserviceController method), 84 method), 82 userdisable() (privacyidea.controllers.selfservice.SelfserviceController method), 82
Index 109