privacyIDEA has always assumed that the authentication will be used in an existing network on top of an existing application. Looking at a corporate network or at any application like your blog software, your VPN, your local login, there are always users. Users already exist. So I guess the assumption was and is still right.
This is why privacyIDEA implements the concept of User Resolver. The user resolver connects to these existing users. Be it in an SQL database (like your Web Blog users), in a flat file (like /etc/passwd with your local logins) or in an LDAP (e.g. you company runs an Active Directory).
But I had to learn that this is sometimes difficult for administrators to get started with privacyIDEA. “Yes, there is the corporate Active Directory, but I just want to setup the VPN quickly…”. I had discussions on the mailing list and in real life and finally I came to see, that it really would be nice to
make users editable from within privacyIDEA.
Roughly there were at least two possibilities to make users editable in privacyIDEA. I came up with a simple and lame idea and a more attractive and INHO complete sensible one.
If there are already connectors to user stores (resolvers) -- why not use these to not only read information from the store but also write information to the store. If the token administrator wishes to. If the user store administrator allows us to. If everything is right.
So each resolver can be editable or not. As a matter of fact, at the moment only the SQL resolver contains the code, to modify users in the user store. (Which will be release with upcoming version 2.4). Nevertheless other resolver types could also support the modification of users in the user store.
The idea is, that you can use privacyIDEA the way you are used to but are also able to define dedicated resolver for easy access and modification of users.
I am not talking about code at this point but about the work flow, to give you an idea how to handle things.
The definition of an SQL resolver will contain a flag, to signal if the resolver should be editable.
You know privacyIDEA supports a sophisticated rights and access management for the administration. So an administrator who is allowed to define realms and resolvers can basically allow that users in a resolver can be modified.
In addition administrators can be assigned the right to modify the users.
This way you can decide which administrator will be able to modify or add or delete users. And you can define, which realm/resolver is not editable at all.
And of course, if the database administrator does not provide you a database user accout, who has write access to the database, checking the checkbox “Edit user store” does not help at all 😉
Setting it up
So I hope, that you get the idea behind it. You can of course go to the web interface and click and define your resolver. But this might be to time consuming for you, if you are new to privacyIDEA and the web ui. So there is an even easier way to do so, using the command line tool pi-manage.py:
pi-manage.py resolver create_internal myfirstresolver pi-manage.py realm create myrealm myfirstresolver
Done. You ended up with an editable resolver and a realm called “myrealm”.
You can add, update and delete users in this realm (in fact in the resolver).
Quick. Isn’t it?
Now, manage your users
Add a user
To add a user, you can go to Userview->Add User, select the resolver “myfirstresolver” and enter all required user data.
Edit a user
To edit an existing user, go to the User Details and click the button “Edit”. Now you can change all the users attributes.
For more information see the documentation at readthedocs.
Check it out
This feature will be available in privacyIDEA 2.4. You can get a preview of this by installing the development version 2.4dev4 from the PPA respository:
add-apt-repository ppa:privacyidea/privacyidea-dev apt-get update apt-get install privacyidea-apache2