PrivacyIDEA Ldap Proxy With Openconnect VPN

hi, We want to use privacyIDEA to apply two authentication with our VPN service. Our VPN service is built with openconnect, and behind the openconnect we use Ldap. Between the openconnect and ldap, we use Freeradius to connect openconnect with ldap.

It looks like this: openconnect <–> Freeradius <–> ldap.

My version of privacyIDEA is privacyIDEA 3.0.2, and I get it from https://pypi.org/project/privacyIDEA/. And my Linux distribution and version is Red Hat 4.8.5-36 and Linux version 3.10.0-957.21.3.el7.x86_64. I have created a realm with ldap resolver. And the ldap resolver has passed the test. And I have created the
authentication Policy with { “otppin”: “userstore” }, and also created the user policy { “enrollTOTP”: true, “totp_timestep”: “30”, “delete”: true }. And the test user has enrolled the totp token.

And I have changed the ldap server address and port in radius configuration to privacy-ldap-proxy address and port. The privacy-ldap-proxy’s config.ini file looks like

[privacyidea]
instance = http://127.0.0.1:5000

[ldap-backend]
endpoint = tcp:host=ourldapServerAddress:port=ourldapPort
test-connection = true

[service-account]
dn = “cn=xxxx,ou=staff,dc=privacyidea,dc=com”
password = passwords

[ldap-proxy]
endpoint = tcp:port=1389
passthrough-binds = “cn=xxxx,ou=staff,dc=privacyidea,dc=com”
bind-service-account = true
allow-search = true
allow-connection-reuse = false
forward-anonymous-binds = false

[user-mapping]
strategy = lookup
attribute = uid

[realm-mapping]
strategy = static
realm = our default realm

[bind-cache]
enabled = false
timeout = 3

[app-cache]
enabled = false

But until now, I can pass the user and passwors, but when I used the username and password+otpcode, it failed to pass.

Best wishes

Please note, that you at least need python 2.7 to run privacyIDEA.
I am not sure, which version RHEL 4.8 ships.

Yes, I run with Python 2.7.5.

Hi and welcome to the community!

Do I understand correctly that you configured FreeRADIUS to authenticate users via the LDAP proxy, and FreeRADIUS does not accept your username and password+otp? In this case, the LDAP proxy logfile should give more information.