ActiveDirectory PrivacyIdea and Ldap client with 2FA

cgarland72 · May 29, 2020, 2:47am

Hi All,

I am new to setting up 2FA with LDAP so please please be understanding.

So I have an issue that I am hoping PrivacyIdea can resolve. I have a Web Application that does not support 2FA. Unfortunately it uses a proprietary application so I cannot interface the web application or add addin for 2FA. I see the only way to add 2FA to the site is have a LDAP lookup that use username and then Pin(OTP) + Password (In the same line, password box). I would also like this it interface with Active Directory so account can be created in AD. The Web app also user AD structure for account creation automation.

The Web Application support LDAP. I have also installed PrivacyIdea and have it connected to ActiveDirectory. Now I am trying to workout how to get the web application to authenticate with PrivacyIdea and 2FA.

Can someone tell me if I can do this directly or I need to add in a LDAP Proxy? Then if its possible to get this LDAP proxy to authentcate using Username then Pin(OTP) + Password?

Thanks for your time.
Craig…

cornelinux · May 29, 2020, 6:25am

Hi Graig,
welcome to the community. Unfortunately you choose the probably most complex scenario.

You need the LDAP Proxy. This alone is challenging.

I will only give you an overview:

The LDAP proxy can provide you with the following. The user enters

Password + OTP-value

in the login form.
When the LDAP proxy receives a bind request, it sends these values to privacyIDEA.
Both is verified by privacyIDEA. The Password can either be a token specific PIN or the LDAP password. Depends on the configuration in privacyIDEA.

The LDAP proxy can no create users.

privacyIDEA is not supposed to create users. I maybe could. But this would be a matter of a lot discussions.

I hope this gives you some first ideas.

Regards
Cornelius