I’m struggling with some kind of problem, but I’m not sure which is the cause. So, I implemented the privacyIDEA as an extension for 2FA authentication for Keyclock. The user provider for both systems is a LDAP server hosted by Apache Active Directory.
The problem is the following: From LDAP resolvers, I set the email as username in privacyIDEA and Keycloak. I can login separately in both systems with the email and password, but I’m not able to validate the 2FA from privacyIDEA when I login from Keycloak.
I tested the following scenario:
In LDAP resolver from privacyIDEA I added for login, besides email, an attribute without the domain. Example: In keycloak you can login with email@example.com, in privacyIdea you can login with firstname.lastname@example.org and user1. It’s working, and I checked the logs and the users that request to authenticate is user1, not email@example.com. The
splitAtSign is unchecked. So, why the domain is removed?
Also, in a production environment, I see that firstname.lastname@example.org transforms in user1%40email.com. This escape characters change occurs at searching in LDAP. I think that a custom field is used for email, not the mail attribute from LDAP. The mangle settings doesn’t helped me.
It’s that a bug or am I missing something?
Any idea will be helpful, thanks in advance.