If you can not attend or if you want to try this at home afterwards, here is what we will do!
Setup10.0.2.201 ucs.tuebix.intranet (LDAP) Univention Corporate Server 4.2 10.0.2.202 privacyidea.tuebix.intranet, Ubuntu 16.04 LTS 10.0.2.203 wordpress.tuebix.intranet, Ubuntu 16.04 LTS with latest wordpress 10.0.2.204 owncloud.tuebix.intranet, Ubuntu 16.04 LTS with ownCloud 10
The UCS has the following users:
ownCloudownCloud is connected via LDAP, so the LDAP users can connect to ownCloud.
The ownCloud Administrator is called: admin
WordpressWordpress only has internal users. Nevertheless the user are also called:
What we will do - our Agenda
- We will install privacyIDEA and connect privacyIDEA to the UCS, so that privacyIDEA knows the users from the LDAP directory
- Then we will enroll different kind of tokens to the users.
- The administrator can enroll a token for the users but
- users can also login to the webui with their LDAP password an enroll a token for themselves.
- Then we start connecting applications to privacyIDEA to add 2FA to the applications
- Wordpress with "strong authentication" plugin
- ownCloud with the "privacyIDEA ownCloud App" from the market place
- SSH login with 2FA for users user1, user2, user3
InstallprivacyIDEA can be installed in many different ways on different Linux distributions. We will install privacyIDEA on our Ubuntu 16.04 machine 10.0.2.202.
add-apt-repository ppa:privacyidea/privacyidea apt update apt install privacyidea-apache2
privacyidea-apache2 is a meta package which will install MySQL, Apache and set up privacyIDEA. Finally we only need to create the first token administrator.
pi-manage add admin super
Now we have an administrator called “super”
ConfigureprivacyIDEA can be configured via command line, API or the web UI.
We need to configure the Resolver tuebix_users as Active Directory. For this we need to fetch the certificate of the UCS server.
- LDAP Resolver to ldaps://ucs.tuebix.intranet
- Base DN cn=users,dc=tuebix,dc=intranet
- Bind DN cn=administrator,cn=users,dc=tuebix,dc=intranet
- Preset AD
We can also take a look at the policies and configure a policy to use otppin=userstore.
Enroll tokensEnroll tokens as administrator and as normal user...
- Enroll Smartphone App
- U2F Token
- Feitian C200 (import File Feitian.csv)
ownCloud with 2FAFor ownCloud X we login as administrator and install the "privacyIDEA ownCloud App" from the Marketplace.
We need to configure the App against privacyIDEA:
- no realm
- no ssl check
After this, users need to present a 2nd factor against privacyIDEA when they log in.
Wordpress with 2FAInstall the "strong authentication" plugin.
We need to configure the Plugin against privacyIDEA:
The Wordpress plugin authenticates users only against privacyIDEA; while with ownCloud users are authenticated by ownCloud and by privacyIDEA.
SSH with 2FAOn either owncloud machine or wordpress machine we install the privacyIDEA PAM module:
apt install privacyidea-pam
…and configure it accordingly against https://privacyidea.tuebix.intranet.
Note: Users need to match!