Hi all,
I’m struggling with some kind of problem, but I’m not sure which is the cause. So, I implemented the privacyIDEA as an extension for 2FA authentication for Keyclock. The user provider for both systems is a LDAP server hosted by Apache Active Directory.
The problem is the following: From LDAP resolvers, I set the email as username in privacyIDEA and Keycloak. I can login separately in both systems with the email and password, but I’m not able to validate the 2FA from privacyIDEA when I login from Keycloak.
I tested the following scenario:
In LDAP resolver from privacyIDEA I added for login, besides email, an attribute without the domain. Example: In keycloak you can login with user1@email.com, in privacyIdea you can login with user1@email.com and user1. It’s working, and I checked the logs and the users that request to authenticate is user1, not user1@email.com. The splitAtSign is unchecked. So, why the domain is removed?
Also, in a production environment, I see that user1@email.com transforms in user1%40email.com. This escape characters change occurs at searching in LDAP. I think that a custom field is used for email, not the mail attribute from LDAP. The mangle settings doesn’t helped me.
Hint A: You need to asure, that your default realm then does not have the same name as one of the email domains.
Comment B: I do not understand your “transforms to %40”. Where?
So the important thing you need to be clear about is, how the username arrives at privacyIDEA.
Read this, this should help with your understanding how privacyIDEA reacts to the user data sent via the rest API.
Do you really have users with different mail domains in the login name?
A: No. You need to asure, that your default realm then does not have the same name as one of the email domains.
A: The login name is : sorin.miron@student.unitbv.ro and the realm name is unitbv. The domain and realm are not the same.
Comment B: I do not understand your “transforms to %40”. Where?
A: In the LDAP filtering process. When I try to login from Keycloak, I see in privacyIDEA’s logs that the user are searched by sorin.miron%40student.unitbv.ro. I will try to get the specific log.
If not - why use emails? Do not do this!
A: The university system is based on email, each student has an email like: firstname.lastname@student.unitbv.ro. In the LDAP server doesn’t exist any property with “firstname.lastname” value. So, unfortunately, it’s a must have to login with email.
Hi @cornelinux, thanks for your advice.
I tried before with mangle policy but I didn’t succeeded to fix this problem.
So, in attachments you can find the logs with this problem.
If you check, the mangle policy is set to "user/.(.{4})/user\\1/", but in the admin panel is set to user/.(.{4})/user\1/. Whatever, this isn’t working anymore or I don’t know how to use it. I just added it for testing purpose, if this will really work, i’ll modify the mangle with the correct one. The username is not modified at all .
So, in that file log you can see that user1%40yahoo.com is used as parameter for get_user_from_param and for searching in ldap (Searching user ‘user1%40yahoo.com’ in LDAP.)
.
