PrivacyIdea and LDAP Proxy

keithbacu · August 21, 2020, 11:00am

Hi there,

I installed PrivacyIdea version 3.3.1 and privacyidea-ldap-proxy on CentOS 7. I could retrieve user accounts from a ldap server installed not on the privacyidea server and tested token on Privacyidea admin console using “Test token” button successfully. However, I got below error when tring to test ldap-proxy using this command ldapsearch -x -H ldap://192.168.1.1:1389 -D uid=test.ds,ou=people,dc=my-domain,dc=com -w ‘password030072’ “mail=*” .

Error message:
2020-08-21T18:31:10+0800 [pi_ldapproxy.proxy#info] BindRequest for ‘uid=test.ds,ou=people,dc=my-domain,dc=com’ received …
2020-08-21T18:31:10+0800 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f66ca226cf8>
2020-08-21T18:31:10+0800 [pi_ldapproxy.proxy#info] Resolved ‘uid=test.ds,ou=people,dc=my-domain,dc=com’ to ‘test.ds’@’’ (’’)
2020-08-21T18:31:10+0800 [twisted.web.client._HTTP11ClientFactory#info] Starting factory <twisted.web.client._HTTP11ClientFactory instance at 0x7f66ca1d9a28>
2020-08-21T18:31:10+0800 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f66ca226cf8>
2020-08-21T18:31:10+0800 [pi_ldapproxy.proxy#info] Sending BindResponse “invalid credentials”: Failed to authenticate. Wrong HTTP response (400)
2020-08-21T18:31:10+0800 [twisted.web.client._HTTP11ClientFactory#info] Stopping factory <twisted.web.client._HTTP11ClientFactory instance at 0x7f66ca1d9a28>
2020-08-21T18:31:10+0800 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f66ca2267e8>
2020-08-21T18:31:17+0800 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f66ca25bb00>
2020-08-21T18:31:17+0800 [pi_ldapproxy.proxy#info] BindRequest for ‘uid=test.ds,ou=people,dc=my-domain,dc=com’ received …
2020-08-21T18:31:17+0800 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f66ca1cb440>
2020-08-21T18:31:17+0800 [pi_ldapproxy.proxy#info] Resolved ‘uid=test.ds,ou=people,dc=my-domain,dc=com’ to ‘test.ds’@’’ (’’)
2020-08-21T18:31:17+0800 [twisted.web.client._HTTP11ClientFactory#info] Starting factory <twisted.web.client._HTTP11ClientFactory instance at 0x7f66ca1f8ab8>
2020-08-21T18:31:17+0800 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f66ca1cb440>
2020-08-21T18:31:17+0800 [pi_ldapproxy.proxy#info] Sending BindResponse “invalid credentials”: Failed to authenticate. Wrong HTTP response (400)
2020-08-21T18:31:17+0800 [twisted.web.client._HTTP11ClientFactory#info] Stopping factory <twisted.web.client._HTTP11ClientFactory instance at 0x7f66ca1f8ab8>
2020-08-21T18:31:17+0800 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f66ca25bb00>

PrivacyIdea site: https://192.168.1.1

Config.ini setting:
[privacyidea]
instance = http://127.0.0.1:443
[ldap-backend]
endpoint = tcp:host=192.168.1.2:port=389
test-connection = true
[service-account]
dn = “uid=zimbra,cn=admins,cn=zimbra”
password = TOPSECRET
[ldap-proxy]
endpoint = tcp:port=1389
passthrough-binds = “”
bind-service-account = true
allow-search = true
allow-connection-reuse = true
ignore-search-result-references = false
forward-anonymous-binds = false
[user-mapping]
strategy = lookup
attribute = uid
[realm-mapping]
strategy = static
realm =
[bind-cache]
enabled = false
timeout = 3
[app-cache]
enabled = false

Any idea and solution? Thanks!

Best,
Keith

cornelinux · August 22, 2020, 5:57pm

You should check, what authentication request actually arrives at your privacyIDEA system.

keithbacu · August 24, 2020, 11:03am

Thanks for your reply! I thought the ldapsearch command that has mentioned already passed the data as highlighted below to privacyIDEA system but it passed wrong data to the ldap server (i.e. 192.168.1.2).

How can I check it? It seems that ldap-proxy failed to pass data to the privacyIDEA.

Best,
Keith Tin

cornelinux · August 24, 2020, 9:07pm

Check where your privacyIDEA is actually running.
Is it really http on port 443?

keithbacu · August 26, 2020, 4:31am

Hi, privacyIDEA and ldap-proxy are running on the same OS (i.e. CentOS 7). I logon privacyIDEA via this link https://192.168.1.1. I already tried to use different setting. E.g. http://192.168.1.1, http://192.168.1.1:443 and https://192.168.1.1 but still failed. Thanks.

Best,
Keith

cornelinux · August 26, 2020, 4:54am

this would be correct. Use this value in contrast to your posted config file.
If it fails, the error lies somewhere else and you again need to take a look in the privacyidea audit log, privacyidea log file and ldap proxy log file.

plettich · August 27, 2020, 1:50pm

Just an idea but did You check in /var/log/audit/audit.log whether the LDAP-Proxy might be denied access to the LDAP-Server by SELinux?

keithbacu · September 1, 2020, 9:50am

nope. It’s already disabled. Any other idea? Thanks.

Ngo_Anh_Tuan · May 13, 2021, 9:26am

Hi,

Privacyidea 3.2.2 + privacyidea-ldap-proxy 0.6 are work well, …

Uper privacyidea version do not work well with ldap-proxy 0.6.

Thanks,

Tuan Ngo

rwel · September 21, 2021, 7:06pm

Hello,

I have the same problem. in the log files i can see i resolves right but error 400 keeps popping up. Is there a new version where this problem is fixed?.

I’m using version 3.6.2