Ldap user otp

blue90waters · July 14, 2015, 7:36pm

Hi,

I am running privacyidea 2.5dev2 on ubuntu 14.04.
I am able to authenticate on a client using otp for the local users but not
with ldap users.
I can log in to the client with ldap username/password. I am not sure what
else i need to configure for it to accept otp pin.
I would appreciate your help on this.

Below is my pam configuration.

common-auth-----------------
auth sufficient pam_python.so /opt/privacyidea_pam.py
url=https://OTP-HOST prompt=PRIVACYIDEA_Authentication nosslverify
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so

sshd

@include common-auth
account required pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic noupdate
session required pam_limits.so
session required pam_env.so user_readenv=1
envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
@include common-password

below is the error message that i see on the logs.

Jul 14 13:15:07 otp2 sshd: requests > 1.0
Jul 14 13:15:07 otp2 sshd: privacyidea_pam: ERR905: The user can not be
found in any resolver in this realm!
Jul 14 13:15:07 otp2 sshd: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.6.6 user=otp
Jul 14 13:15:08 otp2 sshd: pam_sss(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.6.6 user=otp
Jul 14 13:15:08 otp2 sshd: pam_sss(sshd:auth): received for user otp: 17
(Failure setting user credentials)
Jul 14 13:15:10 otp2 sshd[11317]: Failed password for otp from 10.10.6.6
port 60748 ssh2

Thanks,

cornelinux · July 14, 2015, 8:44pm

HI bluewaters,

again. Forget about PAM for a while.

Call
https://privacyideaserver/validate/check?user=&pass=

ldap user

{
“id”: 1,
“jsonrpc”: “2.0”,
“result”: {
“error”: {
“code”: -500,
“message”: “ERR905: The user can not be found in any resolver in this realm!”
},
“status”: false
},
“version”: “privacyIDEA 2.5dev2”
}

This indicates, that you your LDAP user can not authenticate. I.e. the
underlying mechanism will not work, so we do not need to talk about PAM.
We first have to fix this!

How many realms did you define?
Did you put the LDAP resolver in a new realm?

Then the ldap user will not be in the default realm.
Please put the ldap resolver into the same realm like the
passwdresolver.

And check the URL again!

Kind regards
Cornelius

signature.asc (819 Bytes)

cornelinux · July 14, 2015, 8:01pm

Let’s get things straight:

You can login (via SSH/PAM???)
with an LDAP user to a linux machine BEFORE using privacyIDEA? Right?

As soon as you configure privacyIDEA, you can login with a local user,
but not with an LDAP user?

First step!
Forget about PAM!

Check if you can authenticate with the user against privacyidea
directly.

Local User AND LDAP USER.

Call
https://privacyideaserver/validate/check?user=&pass=

Kind regards
CorneliusAm Dienstag, den 14.07.2015, 12:36 -0700 schrieb blue90waters@gmail.com:

Hi,

I am running privacyidea 2.5dev2 on ubuntu 14.04.
I am able to authenticate on a client using otp for the local users
but not with ldap users.
I can log in to the client with ldap username/password. I am not sure
what else i need to configure for it to accept otp pin.
I would appreciate your help on this.

Below is my pam configuration.

common-auth

auth sufficient pam_python.so /opt/privacyidea_pam.py
url=https://OTP-HOST prompt=PRIVACYIDEA_Authentication nosslverify
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so

sshd

@include common-auth
account required pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic noupdate
session required pam_limits.so
session required pam_env.so user_readenv=1
envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
@include common-password

below is the error message that i see on the logs.

Jul 14 13:15:07 otp2 sshd: requests > 1.0
Jul 14 13:15:07 otp2 sshd: privacyidea_pam: ERR905: The user can not
be found in any resolver in this realm!
Jul 14 13:15:07 otp2 sshd: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.6.6
user=otp
Jul 14 13:15:08 otp2 sshd: pam_sss(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.6.6 user=otp
Jul 14 13:15:08 otp2 sshd: pam_sss(sshd:auth): received for user otp:
17 (Failure setting user credentials)
Jul 14 13:15:10 otp2 sshd[11317]: Failed password for otp from
10.10.6.6 port 60748 ssh2

Thanks,

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/1315a01f-b2a0-4584-b2d7-1ce11365bb1a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

cornelinux · July 14, 2015, 9:01pm

Hi,
I assume, that you are also able to authenticate with the LDAP user at
PAM.

When authenticating, the system searches the user in the “default”
realm.
You might want to read a bit more about realms:
http://privacyidea.readthedocs.org/en/latest/configuration/realms.html

Kind regards
CorneliusAm Dienstag, den 14.07.2015, 13:55 -0700 schrieb blue90waters@gmail.com:

Ah!!! that worked like a charm once i placed the ldap resolver in the
default realm.

Appreciate your quick reply for resolving this.

Thank you very much Cornelius.

On Tuesday, July 14, 2015 at 2:44:40 PM UTC-6, Cornelius Kölbel wrote:
HI bluewaters,
    again. Forget about PAM for a while. 
    
    
    > 
    > Call 
    >
    https://privacyideaserver/validate/check?user=<username>&pass=<otppin-otpvalue> 
    > 
    
    > ldap user 
    > ----------- 
    > { 
    >   "id": 1, 
    >   "jsonrpc": "2.0", 
    >   "result": { 
    >     "error": { 
    >       "code": -500, 
    >       "message": "ERR905: The user can not be found in any
    resolver in this realm!" 
    >     }, 
    >     "status": false 
    >   }, 
    >   "version": "privacyIDEA 2.5dev2" 
    > } 
    > 
    
    This indicates, that you your LDAP user can not authenticate.
    I.e. the 
    underlying mechanism will not work, so we do not need to talk
    about PAM. 
    We first have to fix this! 
    
    How many realms did you define? 
    Did you put the LDAP resolver in a new realm? 
    
    Then the ldap user will not be in the default realm. 
    Please put the ldap resolver into the same realm like the 
    passwdresolver. 
    
    And check the URL again! 
    
    Kind regards 
    Cornelius 
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/9db5b6e3-f0ff-46c2-95ba-0ae78c68c1e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

blue90waters · July 14, 2015, 9:31pm

Yes. I am able to auth a ldap user too. I will go through the docs on the
link.
I will test this on the CentOS 7 too. Is it any different authenticating on
CentOS?
I did not find an libpam-python rpm though.

-ThanksOn Tuesday, July 14, 2015 at 3:01:37 PM UTC-6, Cornelius Kölbel wrote:

Hi,
I assume, that you are also able to authenticate with the LDAP user at
PAM.

When authenticating, the system searches the user in the “default”
realm.
You might want to read a bit more about realms:
5.2. Realms — privacyIDEA 3.8 documentation

Kind regards
Cornelius

Am Dienstag, den 14.07.2015, 13:55 -0700 schrieb blue90...@gmail.com
<javascript:>:
Ah!!! that worked like a charm once i placed the ldap resolver in the
default realm.

Appreciate your quick reply for resolving this.

Thank you very much Cornelius.

On Tuesday, July 14, 2015 at 2:44:40 PM UTC-6, Cornelius Kölbel wrote:
HI bluewaters,
    again. Forget about PAM for a while. 
    
    
    > 
    > Call 
    > 
    https://privacyideaserver/validate/check?user=<username>&pass=<otppin-otpvalue> 
    > 
    
    > ldap user 
    > ----------- 
    > { 
    >   "id": 1, 
    >   "jsonrpc": "2.0", 
    >   "result": { 
    >     "error": { 
    >       "code": -500, 
    >       "message": "ERR905: The user can not be found in any 
    resolver in this realm!" 
    >     }, 
    >     "status": false 
    >   }, 
    >   "version": "privacyIDEA 2.5dev2" 
    > } 
    > 
    
    This indicates, that you your LDAP user can not authenticate. 
    I.e. the 
    underlying mechanism will not work, so we do not need to talk 
    about PAM. 
    We first have to fix this! 
    
    How many realms did you define? 
    Did you put the LDAP resolver in a new realm? 
    
    Then the ldap user will not be in the default realm. 
    Please put the ldap resolver into the same realm like the 
    passwdresolver. 
    
    And check the URL again! 
    
    Kind regards 
    Cornelius 
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/9db5b6e3-f0ff-46c2-95ba-0ae78c68c1e7%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

blue90waters · July 14, 2015, 8:35pm

Thanks for your quick reply.

below is what i have tried.

ssh to the linux machine with local userid/privacyidea_pin - works
ssh to the linux machine with ldap userid/privacyidea_pin - does not work.
ssh to linux machine with ldap_username/ldap_passwd - works

this is what i see with
Call
https://privacyideaserver/validate/check?user=
&pass=

localuser------------

{
“detail”: {
“message”: “matching 1 tokens”,
“serial”: “OATH00006BE8”,
“type”: “hotp”
},
“id”: 1,
“jsonrpc”: “2.0”,
“result”: {
“status”: true,
“value”: true
},
“version”: “privacyIDEA 2.5dev2”,
“versionnumber”: “2.5dev2”

ldap user

{
“id”: 1,
“jsonrpc”: “2.0”,
“result”: {
“error”: {
“code”: -500,
“message”: “ERR905: The user can not be found in any resolver in this realm!”
},
“status”: false
},
“version”: “privacyIDEA 2.5dev2”
}

I have created a resolver for ldap and able to assign the token to the ldap users on privacyidea.

Here is how i configured the client for otp

On Tuesday, July 14, 2015 at 2:01:14 PM UTC-6, Cornelius Kölbel wrote:

Let’s get things straight:

You can login (via SSH/PAM???)
with an LDAP user to a linux machine BEFORE using privacyIDEA? Right?

As soon as you configure privacyIDEA, you can login with a local user,
but not with an LDAP user?

First step!
Forget about PAM!

Check if you can authenticate with the user against privacyidea
directly.

Local User AND LDAP USER.

Call
https://privacyideaserver/validate/check?user=&pass=

Kind regards
Cornelius

Am Dienstag, den 14.07.2015, 12:36 -0700 schrieb blue90...@gmail.com
<javascript:>:

Hi,

I am running privacyidea 2.5dev2 on ubuntu 14.04.
I am able to authenticate on a client using otp for the local users
but not with ldap users.
I can log in to the client with ldap username/password. I am not sure
what else i need to configure for it to accept otp pin.
I would appreciate your help on this.

Below is my pam configuration.

common-auth

auth sufficient pam_python.so /opt/privacyidea_pam.py
url=https://OTP-HOST prompt=PRIVACYIDEA_Authentication nosslverify
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so

sshd

@include common-auth
account required pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic noupdate
session required pam_limits.so
session required pam_env.so user_readenv=1
envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
@include common-password

below is the error message that i see on the logs.

Jul 14 13:15:07 otp2 sshd: requests > 1.0
Jul 14 13:15:07 otp2 sshd: privacyidea_pam: ERR905: The user can not
be found in any resolver in this realm!
Jul 14 13:15:07 otp2 sshd: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.6.6
user=otp
Jul 14 13:15:08 otp2 sshd: pam_sss(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.6.6 user=otp
Jul 14 13:15:08 otp2 sshd: pam_sss(sshd:auth): received for user otp:
17 (Failure setting user credentials)
Jul 14 13:15:10 otp2 sshd[11317]: Failed password for otp from
10.10.6.6 port 60748 ssh2

Thanks,

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/1315a01f-b2a0-4584-b2d7-1ce11365bb1a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

blue90waters · July 14, 2015, 8:55pm

Ah!!! that worked like a charm once i placed the ldap resolver in the
default realm.

Appreciate your quick reply for resolving this.

Thank you very much Cornelius.On Tuesday, July 14, 2015 at 2:44:40 PM UTC-6, Cornelius Kölbel wrote:

HI bluewaters,

again. Forget about PAM for a while.

Call
https://privacyideaserver/validate/check?user=&pass=

ldap user

{
“id”: 1,
“jsonrpc”: “2.0”,
“result”: {
“error”: {
“code”: -500,
“message”: “ERR905: The user can not be found in any resolver in
this realm!”
},
“status”: false
},
“version”: “privacyIDEA 2.5dev2”
}

This indicates, that you your LDAP user can not authenticate. I.e. the
underlying mechanism will not work, so we do not need to talk about PAM.
We first have to fix this!

How many realms did you define?
Did you put the LDAP resolver in a new realm?

Then the ldap user will not be in the default realm.
Please put the ldap resolver into the same realm like the
passwdresolver.

And check the URL again!

Kind regards
Cornelius

blue90waters · July 15, 2015, 3:45pm

I have downloaded the http://pam-python.sourceforge.net/ and it compiles
with few warning messages.
I would appreciate if you can build the package.

Thanks,On Tuesday, July 14, 2015 at 10:40:23 PM UTC-6, Cornelius Kölbel wrote:

Am Dienstag, den 14.07.2015, 14:31 -0700 schrieb blue90...@gmail.com
<javascript:>:

Yes. I am able to auth a ldap user too. I will go through the docs on
the link.
I will test this on the CentOS 7 too. Is it any different
authenticating on CentOS?
I did not find an libpam-python rpm though.

Yes. It looks like, there is no pam_python package, even in epel.
So get your gcc ready.
Or should I build a package for you?

Kind regards
Cornelius
-Thanks

On Tuesday, July 14, 2015 at 3:01:37 PM UTC-6, Cornelius Kölbel wrote:
Hi,
I assume, that you are also able to authenticate with the LDAP
user at
PAM.
    When authenticating, the system searches the user in the 
    "default" 
    realm. 
    You might want to read a bit more about realms: 
5.2. Realms — privacyIDEA 3.8 documentation
    Kind regards 
    Cornelius 
    
    Am Dienstag, den 14.07.2015, 13:55 -0700 schrieb 
    blue90...@gmail.com: 
    > Ah!!! that worked like a charm once i placed the ldap 
    resolver in the 
    > default realm. 
    > 
    > 
    > Appreciate your quick reply for resolving this. 
    > 
    > 
    > Thank you very much Cornelius. 
    > 
    > 
    > 
    > 
    > On Tuesday, July 14, 2015 at 2:44:40 PM UTC-6, Cornelius  Kölbel wrote: 
    >         HI bluewaters, 
    >         
    >         again. Forget about PAM for a while. 
    >         
    >         
    >         > 
    >         > Call 
    >         > 
    > 
    https://privacyideaserver/validate/check?user=<username>&pass=<otppin-otpvalue> 
    >         > 
    >         
    >         > ldap user 
    >         > ----------- 
    >         > { 
    >         >   "id": 1, 
    >         >   "jsonrpc": "2.0", 
    >         >   "result": { 
    >         >     "error": { 
    >         >       "code": -500, 
    >         >       "message": "ERR905: The user can not be 
    found in any 
    >         resolver in this realm!" 
    >         >     }, 
    >         >     "status": false 
    >         >   }, 
    >         >   "version": "privacyIDEA 2.5dev2" 
    >         > } 
    >         > 
    >         
    >         This indicates, that you your LDAP user can not 
    authenticate. 
    >         I.e. the 
    >         underlying mechanism will not work, so we do not 
    need to talk 
    >         about PAM. 
    >         We first have to fix this! 
    >         
    >         How many realms did you define? 
    >         Did you put the LDAP resolver in a new realm? 
    >         
    >         Then the ldap user will not be in the default 
    realm. 
    >         Please put the ldap resolver into the same realm 
    like the 
    >         passwdresolver. 
    >         
    >         And check the URL again! 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    > 
https://groups.google.com/d/msgid/privacyidea/9db5b6e3-f0ff-46c2-95ba-0ae78c68c1e7%40googlegroups.com.
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/40649cd6-d6df-4ecb-b886-2a3a6bf75c36%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

cornelinux · July 15, 2015, 4:40am

Yes. I am able to auth a ldap user too. I will go through the docs on
the link.
I will test this on the CentOS 7 too. Is it any different
authenticating on CentOS?
I did not find an libpam-python rpm though.

Yes. It looks like, there is no pam_python package, even in epel.
So get your gcc ready.
Or should I build a package for you?

Kind regards
CorneliusAm Dienstag, den 14.07.2015, 14:31 -0700 schrieb blue90waters@gmail.com:

-Thanks

On Tuesday, July 14, 2015 at 3:01:37 PM UTC-6, Cornelius Kölbel wrote:
Hi,
I assume, that you are also able to authenticate with the LDAP
user at
PAM.

    When authenticating, the system searches the user in the
    "default" 
    realm. 
    You might want to read a bit more about realms: 
    http://privacyidea.readthedocs.org/en/latest/configuration/realms.html 
    
    Kind regards 
    Cornelius 
    
    Am Dienstag, den 14.07.2015, 13:55 -0700 schrieb
    blue90...@gmail.com: 
    > Ah!!! that worked like a charm once i placed the ldap
    resolver in the 
    > default realm. 
    > 
    > 
    > Appreciate your quick reply for resolving this. 
    > 
    > 
    > Thank you very much Cornelius. 
    > 
    > 
    > 
    > 
    > On Tuesday, July 14, 2015 at 2:44:40 PM UTC-6, Cornelius Kölbel wrote: 
    >         HI bluewaters, 
    >         
    >         again. Forget about PAM for a while. 
    >         
    >         
    >         > 
    >         > Call 
    >         > 
    >
    https://privacyideaserver/validate/check?user=<username>&pass=<otppin-otpvalue> 
    >         > 
    >         
    >         > ldap user 
    >         > ----------- 
    >         > { 
    >         >   "id": 1, 
    >         >   "jsonrpc": "2.0", 
    >         >   "result": { 
    >         >     "error": { 
    >         >       "code": -500, 
    >         >       "message": "ERR905: The user can not be
    found in any 
    >         resolver in this realm!" 
    >         >     }, 
    >         >     "status": false 
    >         >   }, 
    >         >   "version": "privacyIDEA 2.5dev2" 
    >         > } 
    >         > 
    >         
    >         This indicates, that you your LDAP user can not
    authenticate. 
    >         I.e. the 
    >         underlying mechanism will not work, so we do not
    need to talk 
    >         about PAM. 
    >         We first have to fix this! 
    >         
    >         How many realms did you define? 
    >         Did you put the LDAP resolver in a new realm? 
    >         
    >         Then the ldap user will not be in the default
    realm. 
    >         Please put the ldap resolver into the same realm
    like the 
    >         passwdresolver. 
    >         
    >         And check the URL again! 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/9db5b6e3-f0ff-46c2-95ba-0ae78c68c1e7%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/40649cd6-d6df-4ecb-b886-2a3a6bf75c36%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)