PrivacyIdea and LDAP Proxy

Hi there,

I installed PrivacyIdea version 3.3.1 and privacyidea-ldap-proxy on CentOS 7. I could retrieve user accounts from a ldap server installed not on the privacyidea server and tested token on Privacyidea admin console using “Test token” button successfully. However, I got below error when tring to test ldap-proxy using this command ldapsearch -x -H ldap://192.168.1.1:1389 -D uid=test.ds,ou=people,dc=my-domain,dc=com -w ‘password030072’ “mail=*” .

Error message:
2020-08-21T18:31:10+0800 [pi_ldapproxy.proxy#info] BindRequest for ‘uid=test.ds,ou=people,dc=my-domain,dc=com’ received …
2020-08-21T18:31:10+0800 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f66ca226cf8>
2020-08-21T18:31:10+0800 [pi_ldapproxy.proxy#info] Resolved ‘uid=test.ds,ou=people,dc=my-domain,dc=com’ to ‘test.ds’@’’ (’’)
2020-08-21T18:31:10+0800 [twisted.web.client._HTTP11ClientFactory#info] Starting factory <twisted.web.client._HTTP11ClientFactory instance at 0x7f66ca1d9a28>
2020-08-21T18:31:10+0800 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f66ca226cf8>
2020-08-21T18:31:10+0800 [pi_ldapproxy.proxy#info] Sending BindResponse “invalid credentials”: Failed to authenticate. Wrong HTTP response (400)
2020-08-21T18:31:10+0800 [twisted.web.client._HTTP11ClientFactory#info] Stopping factory <twisted.web.client._HTTP11ClientFactory instance at 0x7f66ca1d9a28>
2020-08-21T18:31:10+0800 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f66ca2267e8>
2020-08-21T18:31:17+0800 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f66ca25bb00>
2020-08-21T18:31:17+0800 [pi_ldapproxy.proxy#info] BindRequest for ‘uid=test.ds,ou=people,dc=my-domain,dc=com’ received …
2020-08-21T18:31:17+0800 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f66ca1cb440>
2020-08-21T18:31:17+0800 [pi_ldapproxy.proxy#info] Resolved ‘uid=test.ds,ou=people,dc=my-domain,dc=com’ to ‘test.ds’@’’ (’’)
2020-08-21T18:31:17+0800 [twisted.web.client._HTTP11ClientFactory#info] Starting factory <twisted.web.client._HTTP11ClientFactory instance at 0x7f66ca1f8ab8>
2020-08-21T18:31:17+0800 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f66ca1cb440>
2020-08-21T18:31:17+0800 [pi_ldapproxy.proxy#info] Sending BindResponse “invalid credentials”: Failed to authenticate. Wrong HTTP response (400)
2020-08-21T18:31:17+0800 [twisted.web.client._HTTP11ClientFactory#info] Stopping factory <twisted.web.client._HTTP11ClientFactory instance at 0x7f66ca1f8ab8>
2020-08-21T18:31:17+0800 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f66ca25bb00>

PrivacyIdea site: https://192.168.1.1

Config.ini setting:
[privacyidea]
instance = http://127.0.0.1:443
[ldap-backend]
endpoint = tcp:host=192.168.1.2:port=389
test-connection = true
[service-account]
dn = “uid=zimbra,cn=admins,cn=zimbra”
password = TOPSECRET
[ldap-proxy]
endpoint = tcp:port=1389
passthrough-binds = “”
bind-service-account = true
allow-search = true
allow-connection-reuse = true
ignore-search-result-references = false
forward-anonymous-binds = false
[user-mapping]
strategy = lookup
attribute = uid
[realm-mapping]
strategy = static
realm =
[bind-cache]
enabled = false
timeout = 3
[app-cache]
enabled = false

Any idea and solution? Thanks!

Best,
Keith

You should check, what authentication request actually arrives at your privacyIDEA system.

Thanks for your reply! I thought the ldapsearch command that has mentioned already passed the data as highlighted below to privacyIDEA system but it passed wrong data to the ldap server (i.e. 192.168.1.2).

How can I check it? It seems that ldap-proxy failed to pass data to the privacyIDEA.

Best,
Keith Tin

Check where your privacyIDEA is actually running.
Is it really http on port 443?

Hi, privacyIDEA and ldap-proxy are running on the same OS (i.e. CentOS 7). I logon privacyIDEA via this link https://192.168.1.1. I already tried to use different setting. E.g. http://192.168.1.1, http://192.168.1.1:443 and https://192.168.1.1 but still failed. Thanks.

Best,
Keith

this would be correct. Use this value in contrast to your posted config file.
If it fails, the error lies somewhere else and you again need to take a look in the privacyidea audit log, privacyidea log file and ldap proxy log file.

The error disappeared after changed certificate setting. However, running ldapsearch command as shown on below came with the unexpected search result. The command lookup user database at LDAP server via privacyIDEA (i.e. 192.168.1.1).

ldapsearch -x -H ldap://192.168.1.1:1389 -D uid=test.ds,ou=people,dc=mydomain,dc=com -w ‘password123456’ "mail="
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: mail=

# requesting: ALL
#

# search result
search: 2
result: 50 Insufficient access
text: LDAP Search disallowed according to the configuration.

# numResponses: 1

PrivacyIDEA log:
[2020-08-27 15:43:56,935][24353][140386870507264][INFO][privacyidea.lib.user:233] user u’test.ds’ found in resolver u’zimbraSresolver’
[2020-08-27 15:43:56,936][24353][140386870507264][INFO][privacyidea.lib.user:234] userid resolved to u’7f415eb2-58e2-1039-8642-0df6662a0ba7’
[2020-08-27 15:43:56,994][24353][140386870507264][INFO][privacyidea.lib.user:233] user u’test.ds’ found in resolver u’zimbraSresolver’
[2020-08-27 15:43:56,995][24353][140386870507264][INFO][privacyidea.lib.user:234] userid resolved to u’7f415eb2-58e2-1039-8642-0df6662a0ba7’
[2020-08-27 15:43:57,034][24353][140386870507264][INFO][privacyidea.lib.user:233] user u’test.ds’ found in resolver u’zimbraSresolver’
[2020-08-27 15:43:57,034][24353][140386870507264][INFO][privacyidea.lib.user:234] userid resolved to u’7f415eb2-58e2-1039-8642-0df6662a0ba7’
[2020-08-27 15:43:57,035][24353][140386870507264][INFO][privacyidea.lib.user:360] User u’test.ds’ from realm u’zimbra’ tries to authenticate
[2020-08-27 15:43:57,431][24353][140386870507264][INFO][privacyidea.api.lib.postpolicy:470] There is no machine with IP=IPAddress(‘192.168.1.1’)

When running below command to lookup the database at LDAP server (i.e. 192.168.1.2) directly, the result came out normally.

ldapsearch -x -H ldap://192.168.1.2:389 -D uid=test.ds,ou=people,dc=mydomain,dc=com -w ‘password’ “mail=*”

# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: mail=*
# requesting: ALL
#

# test.ds, people, mydomain.com
dn: uid=test.ds,ou=people,dc=mydomain,dc=com
uid: test.ds
sn: ds
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: zimbraAccount
objectClass: amavisAccount
cn: Test DS
givenName: Test
mail: test.ds@gdc-ds.com
displayName: Test

[snip]

# search result
search: 2
result: 0 Success

# numResponses: 39
# numEntries: 38

User list lookup via PrivacyIDEA admin console has no problem. How to solve it? Thanks.

Best,
Keith

Just an idea but did You check in /var/log/audit/audit.log whether the LDAP-Proxy might be denied access to the LDAP-Server by SELinux?

nope. It’s already disabled. Any other idea? Thanks.