Hello, i went through all the videos, howtos and documentation, still unable to find how to implement the basic scenario i need:
apache httpd or nginx used as a reverse proxy for any custom web application
first factor is username/password against privacyidea server, which i have set up and user resolver configured
(at this point i get password mismatch in error.log)
i expect privacyidea mobile application to be involved somehow here ( downloaded from google play)
i expect to be redirected to some page with QR code or receive a push notification on my mobile app
on successful confirmation i’m allowed to pass
Do i get something wrong? Actually there’s not much information on mobile app, i’ve managed to scan the qr and it generates some OTPs but what am i supposed to use it for?
I’m not reviewing other scenarios for now, only apache httpd with 2nd factor.
If you are getting prompted for a username/password, I may be mistaken, but you won’t put in the user account’s password, you’ll put in the OTP. Probably depends on how you have it configured.
What are you using as a user store?
What are you using to integrate Apache/Nginx with PrivacyIDEA?
Actually, i’ve managed to get something since i posted my question what makes me to modify this question a little.
I realized that i need to use token PIN/OTP instead of ldap credentials as i expected. Therefore, i’ve managed to test email OTP and HOTP with PrivacyIdea mobile application.
It is something but not exactly what i need.
I’ll definitely read more, but if anyone has a quick advice i’d appreciate. Is there any way to use ldap credentials in apache/nginx followed by some 2nd factor? Should i use specific type of token or policy?
I’ve connected privacyidea to my ldap directory
I’m using apache http configuration from documentation with privacyidea_apache.py module.
I’ve not quite gotten the idea of tokens yet and how it affects the different MFA scenarios…
Still something is wrong, thank you Cornelius, i’ve activated authentication policy with otppin=userstore and now unable to login.
[2020-04-15 06:46:29,625][7301][139882942904064][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:329] failed to check password for u’mylogin’/u’uid=mylogin,dc=myresolver etc: Exception(‘Wrong credentials’,)
Ldap resolver is validated successfully, the problem is there’s no attempt to verify the credentials, as i’m tracing LDAP communication to FreeIPA. I can see BIND attempt with correct DN, but it doesn’t seem to provide the password to LDAP server, what results
conn=2513401 op=0 RESULT err=49 tag=97 nentries=0 etime=0.003536514 - Invalid credentials
on ldap server side
Anything specific should be configured for ldap resolver and/or policy?