Thanks for your quick reply.
below is what i have tried.
ssh to the linux machine with local userid/privacyidea_pin - works
ssh to the linux machine with ldap userid/privacyidea_pin - does not work.
ssh to linux machine with ldap_username/ldap_passwd - works
this is what i see with
Call
https://privacyideaserver/validate/check?user=
&pass=
localuser------------
{
“detail”: {
“message”: “matching 1 tokens”,
“serial”: “OATH00006BE8”,
“type”: “hotp”
},
“id”: 1,
“jsonrpc”: “2.0”,
“result”: {
“status”: true,
“value”: true
},
“version”: “privacyIDEA 2.5dev2”,
“versionnumber”: “2.5dev2”
ldap user
{
“id”: 1,
“jsonrpc”: “2.0”,
“result”: {
“error”: {
“code”: -500,
“message”: “ERR905: The user can not be found in any resolver in this realm!”
},
“status”: false
},
“version”: “privacyIDEA 2.5dev2”
}
I have created a resolver for ldap and able to assign the token to the ldap users on privacyidea.
Here is how i configured the client for otp
On Tuesday, July 14, 2015 at 2:01:14 PM UTC-6, Cornelius Kölbel wrote:
Let’s get things straight:
You can login (via SSH/PAM???)
with an LDAP user to a linux machine BEFORE using privacyIDEA? Right?
As soon as you configure privacyIDEA, you can login with a local user,
but not with an LDAP user?
First step!
Forget about PAM!
Check if you can authenticate with the user against privacyidea
directly.
Local User AND LDAP USER.
Call
https://privacyideaserver/validate/check?user=&pass=
Kind regards
Cornelius
Am Dienstag, den 14.07.2015, 12:36 -0700 schrieb blue90...@gmail.com
<javascript:>:
Hi,
I am running privacyidea 2.5dev2 on ubuntu 14.04.
I am able to authenticate on a client using otp for the local users
but not with ldap users.
I can log in to the client with ldap username/password. I am not sure
what else i need to configure for it to accept otp pin.
I would appreciate your help on this.
Below is my pam configuration.
common-auth
auth sufficient pam_python.so /opt/privacyidea_pam.py
url=https://OTP-HOST prompt=PRIVACYIDEA_Authentication nosslverify
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
sshd
@include common-auth
account required pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic noupdate
session required pam_limits.so
session required pam_env.so user_readenv=1
envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
@include common-password
below is the error message that i see on the logs.
Jul 14 13:15:07 otp2 sshd: requests > 1.0
Jul 14 13:15:07 otp2 sshd: privacyidea_pam: ERR905: The user can not
be found in any resolver in this realm!
Jul 14 13:15:07 otp2 sshd: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.6.6
user=otp
Jul 14 13:15:08 otp2 sshd: pam_sss(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.6.6 user=otp
Jul 14 13:15:08 otp2 sshd: pam_sss(sshd:auth): received for user otp:
17 (Failure setting user credentials)
Jul 14 13:15:10 otp2 sshd[11317]: Failed password for otp from
10.10.6.6 port 60748 ssh2
Thanks,
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/1315a01f-b2a0-4584-b2d7-1ce11365bb1a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel