7.6. WebUI Policies

7.6.1. login_mode

type: string

allowed values: “userstore”, “privacyIDEA”, “disable”

If set to userstore (default), users and administrators need to authenticate with the password of their userstore, being an LDAP service or an SQL database.

If this action is set to login_mode=privacyIDEA, the users and administrators need to authenticate against privacyIDEA when logging into the WebUI. I.e. they can not login with their domain password anymore but need to authenticate with one of their tokens.

If set to login_mode=disable the users and administrators of the specified realms can not login to the UI anymore.

Warning

If you set this action and the user deletes or disables all his tokens, he will not be able to login anymore.

Note

Administrators defined in the database using the pi-manage.py command can still login with their normal passwords.

Note

A sensible way to use this, is to combine this action in a policy with the client parameter: requiring the users to login to the Web UI remotely from the internet with OTP but still login from within the LAN with the domain password.

Note

Another sensible way to use this policy is to disable the login to the web UI either for certain IP addresses (client) or for users in certain realms.

7.6.2. logout_time

type: int

Set the timeout, after which a user in th WebUI will be logged out. The default timeout is 120 seconds.

Being a policy this time can be set based on clients, realms and users.