Double otp token and understanding ldap connection

hello there,

i have a problem with double otp tokens and a ldap auth problem (mostly likley a understanding issue), so i hope anyone can light me up a bit :slight_smile:

for the setup, it’s very basic, since everything privacyidea related is new to me:

  • firewall vpn with radius and PAP -> privacyidea (-> ldap)
  • privacyIDEA 3.2.2 on Ubuntu 1804, installed after the official installation guide
  • ldap resolver to active directory and openldap in homelab, both setups at least get their users, so it’s working
  • OTP via mail, mail is working, token is send
  • radius connection is ok (/etc/freeradius/3.0/clients.conf changes made)
  • PI policies: only in terms of hide_welcome_info and logout_timeout, nothing else.
  • token enrolled to a user: Type: email, Assigned user: our specified Realm and Resolver, everything else is default ( )

the ldap authentication problem:

i want to use the ldap password, but this aint working, because i get “wrong otp pin”, at this point no token pin is configured, because i’ve read somewhere that i needs to be empty to use ldap password.
when i enter a pin in “Token -> tokenid -> Assigned User” i can connect with the PI pin/password, but not the ldap password.

is this where i need to configure the ldap proxy to get it working?

the double otp token problem: - SOLVED

right now vpn is working (with the PI pin/password, not ldap) but i have to enter 2 otp pins.

so i enter username and password -> request to enter mail token -> enter token 1 -> then another request for a token -> new mail with a different token -> enter token 2 -> connection successfull

as said, my setup is very simple, so where have i missed a step to get rid of the second token?

bonus question:

how can i set the webui language to english? since my browser is german, i need a manual way to change language

thanks for reading and your time,

this problem is resolved, it was a missconfiguration on the firewall vpn

The WebUI takes the language from your browser. You can not change it manually. Set your browser to request english from this website if needed and if possible.


You need to create an authentication policy with otppin=userstore:
This way the ldap password will be used as the PIN.