Different resolvers, same username and id's

I would like to set up privacyidea in an unusual way.
I have tow resolvers, AD and ldap.

Both of them are set up so that the mail is used for both login and user ids.

My goal is to allow my users can login with email address and use either the password from ldap or ad.

It doesn’t work out of the box, and the resolver with highest priority is imposing the password.
The other resolver is ignored.

If I swap the priority among the resolvers, that is honoured.

Is it possible to make privacyidea to work in my intended way in the first place?

This is really interesting and special. You could do this:

  1. Use the simple pass (spass) token with the policy otppin=userstore. This way users need to authenticate with their userstore password (either LDAP or AD).
  2. However, since the user found in LDAP and the user found in AD are different users for privacyIDEA, a user can only authenticate with one of boath - either LDAP PW or AD PW. Do solve this, you need a remote tokentype. The remote token type will forward the authentication request to another user on another privacyIDEA machine.
  3. Now you can decide for a leading resolver. Maybe you say my productive users are the users from LDAP. This user now has two tokens:
  • The SPASS token to authenticate with the LDAP password and
  • the REMOTE token for forward the authentication request to the same privacyIDEA server but to the corresponding AD-user
  1. The AD user only has a SPASS token, to authenticate with the AD-Password.

WHat you achieved now is that the user from LDAP can either log in with his LDAP password or with the AD password.

In case of the LDAP password the user is authenticated by the LDAP user’s SPASS token.

In case of the AD password the auth request is forwarded to the AD user and this is authenticated with the SPASS token of the AD user.

1 Like