Different resolvers, same username and id's

michimau · October 29, 2021, 9:38am

I would like to set up privacyidea in an unusual way.
I have tow resolvers, AD and ldap.

Both of them are set up so that the mail is used for both login and user ids.

My goal is to allow my users can login with email address and use either the password from ldap or ad.

It doesn’t work out of the box, and the resolver with highest priority is imposing the password.
The other resolver is ignored.

If I swap the priority among the resolvers, that is honoured.

Is it possible to make privacyidea to work in my intended way in the first place?

cornelinux · October 30, 2021, 9:49am

This is really interesting and special. You could do this:

Use the simple pass (spass) token with the policy otppin=userstore. This way users need to authenticate with their userstore password (either LDAP or AD).
However, since the user found in LDAP and the user found in AD are different users for privacyIDEA, a user can only authenticate with one of boath - either LDAP PW or AD PW. Do solve this, you need a remote tokentype. The remote token type will forward the authentication request to another user on another privacyIDEA machine.
Now you can decide for a leading resolver. Maybe you say my productive users are the users from LDAP. This user now has two tokens:

The SPASS token to authenticate with the LDAP password and
the REMOTE token for forward the authentication request to the same privacyIDEA server but to the corresponding AD-user

The AD user only has a SPASS token, to authenticate with the AD-Password.

WHat you achieved now is that the user from LDAP can either log in with his LDAP password or with the AD password.

In case of the LDAP password the user is authenticated by the LDAP user’s SPASS token.

In case of the AD password the auth request is forwarded to the AD user and this is authenticated with the SPASS token of the AD user.

michimau · January 14, 2022, 11:42am

I am finally - damn it, never enough time for fun stuff - trying to implement what you are suggesting.
I have set up 2 privacyidea (self signed certificates) and accomodate /etc/hosts so the conveniently respond to:

https://pi-ldap
https://pi-ad

I register https://pi-ad as a remote privacyidea server in https://pi-ldap and while testing the connection I bump into error 400:

[2022-01-14 11:37:21,904][490][140425708930816][DEBUG][privacyidea.lib.policy:526] Policies after matching active: []
[2022-01-14 11:37:21,905][490][140425708930816][DEBUG][privacyidea.lib.policy:526] Policies after matching scope: []
[2022-01-14 11:37:21,905][490][140425708930816][DEBUG][privacyidea.lib.policy:551] Policies after matching action: []
[2022-01-14 11:37:21,905][490][140425708930816][DEBUG][privacyidea.lib.policy:551] Policies after matching adminrealm: []
[2022-01-14 11:37:21,905][490][140425708930816][DEBUG][privacyidea.lib.policy:551] Policies after matching adminuser: []
[2022-01-14 11:37:21,906][490][140425708930816][DEBUG][privacyidea.lib.policy:617] Policies after matching client: []
[2022-01-14 11:37:21,906][490][140425708930816][DEBUG][privacyidea.lib.policy:198] Exiting list_policies with result []
[2022-01-14 11:37:21,906][490][140425708930816][DEBUG][privacyidea.lib.policy:683] Policies after matching time: []
[2022-01-14 11:37:21,907][490][140425708930816][DEBUG][privacyidea.lib.policy:688] Policies after matching conditions
[2022-01-14 11:37:21,907][490][140425708930816][DEBUG][privacyidea.lib.policy:186] Entering list_policies with arguments (<privacyidea.lib.policy.PolicyClass object at 0x7fb7527cb810>,) and keywords {'active': True, 'scope': u'admin'}
[2022-01-14 11:37:21,909][490][140425708930816][DEBUG][privacyidea.lib.policy:526] Policies after matching active: []
[2022-01-14 11:37:21,909][490][140425708930816][DEBUG][privacyidea.lib.policy:526] Policies after matching scope: []
[2022-01-14 11:37:21,910][490][140425708930816][DEBUG][privacyidea.lib.policy:198] Exiting list_policies with result []
[2022-01-14 11:37:21,910][490][140425708930816][DEBUG][privacyidea.api.privacyideaserver:186] Entering test with arguments () and keywords {}
[2022-01-14 11:37:24,778][490][140425708930816][DEBUG][privacyidea.lib.privacyideaserver:75] Sent request to privacyIDEA server. status code returned: 400
[2022-01-14 11:37:24,779][490][140425708930816][WARNING][privacyidea.lib.privacyideaserver:79] The request to the remote privacyIDEA server https://pi-ad returned a status code: 400
[2022-01-14 11:37:24,779][490][140425708930816][DEBUG][privacyidea.lib.auditmodules.base:186] Entering log with arguments (<privacyidea.lib.auditmodules.sqlaudit.Audit object at 0x7fb75267b9d0>, {'info': False, 'success': False}) and keywords {}
[2022-01-14 11:37:24,780][490][140425708930816][DEBUG][privacyidea.lib.auditmodules.base:198] Exiting log with result None
[2022-01-14 11:37:24,782][490][140425708930816][DEBUG][privacyidea.api.privacyideaserver:198] Exiting test with result <PiResponseClass 143 bytes [200 OK]>
[2022-01-14 11:37:24,805][490][140425708930816][DEBUG][privacyidea.api.before_after:90] End handling of request u'/privacyideaserver/test_request?'

I cannot enroll any remote tokentype (the option is not even present) as probably the remote server is not considered sound.

I can successfully:
telnet https:://pi-ad 443
curl -k https:://pi-ad

from my https://pi-ldap instance

my version is 3.3.1. Do you have any suggestion on how to solve this?

michimau · January 14, 2022, 11:52am

this is the line:

[2022-01-14 11:37:24,779][490][140425708930816][WARNING][privacyidea.lib.privacyideaserver:79] The request to the remote privacyIDEA server https://pi-ad returned a status code: 400

michimau · January 14, 2022, 12:00pm

in the log of pi-ad i see the request, but:

[2022-01-14 11:58:34,354][557][140069404256000][DEBUG][privacyidea.api.lib.utils:254] Can not get param: No JSON object could be decoded

among another thousands of lines which are not practical to share here

addition: you can find it here -privacyidea 3.3.1 pi-ad · GitHub