LDAP Setup with MS Server 2022 AD - ldap connection OK, 0 users

JeroenInhortum · March 6, 2023, 3:31pm

Completely new to PrivacyIdea and currently trying to set it up to hopefully be able to to MFA for server logins. It feels that PrivacyIdea is quite a steep learning curve as the WEB-UI seems rather limited.

So I am trying to get the users from my Active Directory (MS Server 2022, DC). It seems to make a connection just fine but 0 users are found.

I have the following setup in the LDAP Resolver:

Server UI:  ldap://192.168.21.2
StartTLS: ticked
TLS Version: TLS v1.2
Verify TLS: unticked
Base DN: CN=Users,DC=fede,DC=adventist,DC=be
Scope: SUBTREE

Bind Type: SALS Digest-MD5
Bind DN : DOMAIN\user
Bind Password: admin password

Preset Active Directory
No anonymous referral chasing: ticked

When doing a quick resolver test result: Your LDAP config seems OK, 0 user objects found.

I have tried to tinker with the Base DN, as there are only a few users in CN=Users, the rest is all in OU=Users,OU=Office,DC=fede,DC=adventist,DC=be, but that had the same result.

Tried also Bind Type: NTLM, but then get the error: ValueError('unsupported hash type MD4')

Now in the Logfiles (it is set to DEBUG) I can only find this in the logs:

[2023-03-06 15:29:38,985][909][140637692021696][DEBUG][privacyidea.lib.resolver:181] Entering pretestresolver with arguments ('ldapresolver', {'AUTHTYPE': 'SASL Digest-MD5', 'BINDDN': 'ADVENTIST\\administrator', 'BINDPW': '__CENSORED__', 'CACHE_TIMEOUT': '120', 'EDITABLE': False, 'LDAPBASE': 'CN=Users,DC=fede,DC=adventist,DC=be', 'LDAPSEARCHFILTER': '(sAMAccountName=*)(objectCategory=person)', 'LDAPURI': 'ldap://192.168.21.2', 'LOGINNAMEATTRIBUTE': 'sAMAccountName', 'NOREFERRALS': True, 'NOSCHEMAS': False, 'SCOPE': 'SUBTREE', 'SERVERPOOL_PERSISTENT': False, 'SERVERPOOL_ROUNDS': '2', 'SERVERPOOL_SKIP': '30', 'SIZELIMIT': 0, 'START_TLS': True, 'TIMEOUT': '5', 'TLS_VERIFY': False, 'TLS_VERSION': '5', 'UIDTYPE': 'objectGUID', 'USERINFO': '{ "phone" : "telephoneNumber", "mobile" : "mobile", "email" : "mail", "surname" : "sn", "givenname" : "givenName" }', 'type': 'ldapresolver', 'resolver': 'fede.adventist.be'}) and keywords {}
[2023-03-06 15:29:38,985][909][140637692021696][DEBUG][privacyidea.lib.resolver:181] Entering get_resolver_list with arguments () and keywords {'filter_resolver_name': 'fede.adventist.be'}
[2023-03-06 15:29:38,985][909][140637692021696][DEBUG][privacyidea.lib.resolver:196] Exiting get_resolver_list with result HIDDEN
[2023-03-06 15:29:38,986][909][140637692021696][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:193] Get LDAP schema info: 'SCHEMA'
[2023-03-06 15:29:38,986][909][140637692021696][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:945] Added 192.168.21.2, None, False to server pool.
[2023-03-06 15:29:38,987][909][140637692021696][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:1347] Doing start_tls
[2023-03-06 15:29:39,005][909][140637692021696][DEBUG][privacyidea.lib.resolver:194] Exiting pretestresolver with result (True, 'Your LDAP config seems to be OK, 0 user objects found.')
[2023-03-06 15:29:39,012][909][140637692021696][DEBUG][privacyidea.api.resolver:194] Exiting test_resolver with result <PiResponseClass 252 bytes [200 OK]>
[2023-03-06 15:29:39,072][909][140637692021696][DEBUG][privacyidea.api.lib.utils:292] Update params in request POST https://192.168.21.8/resolver/test with JSON data.
[2023-03-06 15:29:39,090][909][140637692021696][DEBUG][privacyidea.api.before_after:102] End handling of request '/resolver/test?'

If someone can help me with this, I might be able to get finally to testing some things.

cornelinux · March 6, 2023, 9:42pm

There is a part of the LDAP resolver config you have not posted.

Your problem is most likely in there!

(OK you could also see your misusing in the logs - hm, I think we did a good job labelling the buttons!)

JeroenInhortum · March 7, 2023, 12:42am

@cornelinux Thank you for the response … but I don’t understand. What part am I missing? And “misusing in the logs” … I don’t see it. Could you help me here?

What buttons are you talking about? I pressed the button “Preset Active Directory”. So I am totally lost with your answer.

cornelinux · March 7, 2023, 7:26pm

No, you are right. You are fine.
Using the Active Directory Preset is the way to go.

JeroenInhortum · March 7, 2023, 9:47pm

Thanks. Didn’t help much further. But we decided to go with a different system. I believe your company worked with them too: MultiOTP.

That system worked right away for what we were looking for. PrivacyIDEA seems for us a little bit an overkill.

JeroenInhortum · March 15, 2023, 7:13am

Wow. I notice in many of your responses that you don’t really help users. Like here, you haven’t provided any help what so ever.
Many posts I see the same. Leaving people hanging with their problem and your last answer being something like “isn’t it obvious” or “documentation is clear”.
Why would I buy an enterprise edition if this is the level of support we can expect.

cornelinux · March 15, 2023, 4:36pm

There is a misunderstanding. This is not an enterprise support channel here.

Noone is obliged to provider support here in this community forum. Noone has the right to insist on help on this forum. Everthing that happens here is voluntarily in the unpaid leisure time.

And this might also answer your question: People would buy enterprise support to get in an enterprise support channel ansers, help and remote support in the defined response times.

Open Source is not necessarily free like in “free beer”! Cheers!

JeroenInhortum · March 16, 2023, 4:35pm

I am fully aware that this is not an enterprise channel, I am also fully aware of what Open Source means.

But why bother setting up a forum and answering questions but not providing any solutions. Just read your own answer (and you are the “owner”, creator of PrivacyIdea) and ask yourself, was that helpful? Why waste time answering if it doesn’t help at all.

But I understand now, the owner and creator is not really interested in helping you further, which is fine. We’ll look further. Good luck with the product!

cornelinux · March 16, 2023, 5:16pm

Interesting point of view.
Also interesting, that someone using multiOTP, spends so much time on a forum of a software, which he does not use.

If anyone else is wondering:

This is a place here where everyone using privacyIDEA can exchange. Everyone is welcome to earn karma points to his or her needs.

In my personal opnion privacyIDEA is a software you need to understand. This is why I do not like to provde step by step clicky lists to solve on special problem.
This is why I only give hints and not complete solutions. Everyone who wants to give solutions - great, do it here.
Everyone who wants to have easy peasy solutions with no effort - use Azure MFA.

I recommend:

read the docs
investigate the logs
read again
think!
use my hints
and think again

This way you will learn more about the software you are using.
This way you will get more independent from the software providers and live a more self-determined life!