PrivacyIdea and LDAPProxy secure traffic

Hi All,

So I have setup PrivacyIDEA, LDAPProxy talking to my Active directory for authentication. Everything looks to be working just how I want. Which is great.

Now I am trying to make ever-thing secure within reason. Please note that LdapProxy and PrivacyIdea are on the same server.

LDAP Client ==> LdapProxy + PrivacyIDEA ==> Active directory.

I can see a few area where security needs to be improved.
LdapProxy - AD lookups.
LdapProxy - PrivacyIdea
PrivacyIdea - AD
LdapProxy Plan text password.

  1. LdapProxy - AD
    Well this should be using SLdap with a certificate. Yet if its only do a name lookup I don’t see this as a major problem. If its doing a name lookup and password check then yes it need to be Secure. Does anyone know if this is just a Name lookup.

  2. LdapProxy - PrivacyIdea.
    As this is on the same server. Although using secure would be great I don’t see it as a major security issue. Anyone have a comment on this?

  3. PrivacyIdea - AD
    I already have this working with Ldap and then encryption. It is also using NTLM. So I believe this is as secure as it need to be. If this is used for the Password and OTP authentication then I don’t need to work too much about the LdapProxy - AD. Can anyone confirm that PrivacyIdea process both the Password and OTP.

  4. LDAPProxy Clear text password.
    In the configuration file of LdapProxy I have had to create an authentication account. This required a standard user account with password. Does anyone know how to set this up without needing a clear text password?

Thanks for all you help.


I think LDAPS can be configured.

I know HTTPS can be configured.

privacyIDEA reads user information from AD. If you configure privacyIDEA policy otppin=userstore privacyIDEA verifies the AD password by issueing a bind request.

I think this is impossible. Since you need credentials to communicate. And if you need credentials you need to configure and store them. Convince me otherwise.


Just in response to the LDAPProxy Clear Text password. You are right that you need credentials but these can be supplied by the LDAPclient, which in my case encrypts the stored password. So I just need to pass the LDAPClient request across. I did try that by setting “bind-service-account” to false. Unfortunately this stop the request working. I am hopeful there are setting that will allow this to work.