2FA scenario with httpd

Hello, i went through all the videos, howtos and documentation, still unable to find how to implement the basic scenario i need:

  • apache httpd or nginx used as a reverse proxy for any custom web application
  • first factor is username/password against privacyidea server, which i have set up and user resolver configured
  • (at this point i get password mismatch in error.log)
  • i expect privacyidea mobile application to be involved somehow here ( downloaded from google play)
  • i expect to be redirected to some page with QR code or receive a push notification on my mobile app
  • on successful confirmation i’m allowed to pass

Do i get something wrong? Actually there’s not much information on mobile app, i’ve managed to scan the qr and it generates some OTPs but what am i supposed to use it for?

I’m not reviewing other scenarios for now, only apache httpd with 2nd factor.

Many thanks

If you are getting prompted for a username/password, I may be mistaken, but you won’t put in the user account’s password, you’ll put in the OTP. Probably depends on how you have it configured.

  • What are you using as a user store?
  • What are you using to integrate Apache/Nginx with PrivacyIDEA?
  • What kind of tokens are you wanting to use?
1 Like

Actually, i’ve managed to get something since i posted my question what makes me to modify this question a little.

I realized that i need to use token PIN/OTP instead of ldap credentials as i expected. Therefore, i’ve managed to test email OTP and HOTP with PrivacyIdea mobile application.
It is something but not exactly what i need.

I’ll definitely read more, but if anyone has a quick advice i’d appreciate. Is there any way to use ldap credentials in apache/nginx followed by some 2nd factor? Should i use specific type of token or policy?

I’ve connected privacyidea to my ldap directory
I’m using apache http configuration from documentation with privacyidea_apache.py module.
I’ve not quite gotten the idea of tokens yet and how it affects the different MFA scenarios…

If you think you have read a lot - there is still more to read! :wink:
If it is only the question whether PIN or LDAP password, look here: https://privacyidea.readthedocs.io/en/latest/policies/authentication.html#otppin

Still something is wrong, thank you Cornelius, i’ve activated authentication policy with otppin=userstore and now unable to login.

[2020-04-15 06:46:29,625][7301][139882942904064][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:329] failed to check password for u’mylogin’/u’uid=mylogin,dc=myresolver etc: Exception(‘Wrong credentials’,)

Ldap resolver is validated successfully, the problem is there’s no attempt to verify the credentials, as i’m tracing LDAP communication to FreeIPA. I can see BIND attempt with correct DN, but it doesn’t seem to provide the password to LDAP server, what results

conn=2513401 op=0 RESULT err=49 tag=97 nentries=0 etime=0.003536514 - Invalid credentials
on ldap server side

Anything specific should be configured for ldap resolver and/or policy?

Finally, i got it
I’m supposed to enter my ldap password PLUS OTP