hello there,
i have a problem with double otp tokens and a ldap auth problem (mostly likley a understanding issue), so i hope anyone can light me up a bit 
for the setup, it’s very basic, since everything privacyidea related is new to me:
- firewall vpn with radius and PAP -> privacyidea (-> ldap)
- privacyIDEA 3.2.2 on Ubuntu 1804, installed after the official installation guide
- ldap resolver to active directory and openldap in homelab, both setups at least get their users, so it’s working
- OTP via mail, mail is working, token is send
- radius connection is ok (/etc/freeradius/3.0/clients.conf changes made)
- PI policies: only in terms of hide_welcome_info and logout_timeout, nothing else.
- token enrolled to a user: Type: email, Assigned user: our specified Realm and Resolver, everything else is default ( https://imgur.com/a/1BGee4G )
the ldap authentication problem:
i want to use the ldap password, but this aint working, because i get “wrong otp pin”, at this point no token pin is configured, because i’ve read somewhere that i needs to be empty to use ldap password.
when i enter a pin in “Token -> tokenid -> Assigned User” i can connect with the PI pin/password, but not the ldap password.
is this where i need to configure the ldap proxy to get it working?
the double otp token problem: - SOLVED
right now vpn is working (with the PI pin/password, not ldap) but i have to enter 2 otp pins.
so i enter username and password -> request to enter mail token -> enter token 1 -> then another request for a token -> new mail with a different token -> enter token 2 -> connection successfull
as said, my setup is very simple, so where have i missed a step to get rid of the second token?
bonus question:
how can i set the webui language to english? since my browser is german, i need a manual way to change language
thanks for reading and your time,