PrivacyIDEA LDAP-Proxy

ldap

#1

DE:
Guten Tag

Ich benötige Unterstützung bei der Installation des LDAP-Proxy’s für PrivacyIDEA. WIe miss ich vorgehen, damit dieser am ende Funktioniert?

LG calgia

EN:
Hello

I need assistance by install the ldap-proxy for privacyidea. how i have to do that, that at the end that works?

greatings, calgia


#2

Hello Calgia,

the LDAP proxy is a sophisticated piece of software for very special use cases. It sits in the communication between your application, your ldap directory and privacyIDEA. Thus there is no default howto to do this.
Each application could issue its ldap requests in different ways.

  1. You should understand how your application works in regards to ldap.
  2. You can read the example configuration file. It is well documented.

Kind regards
Cornelius


#3

Hello Cornelius

Thank You for your respond.

With the help of my good collegs from the work it shut work now but i have an other problem, i search the application privacyidea credential provider msi to download (and test) that. giv’s it a way to get the appilication for free to test them?

greating, gian duri (fully first name)


#4

Hi

In the graphic interface is the user admin. The insertet user für the privacyidea is adm_pi, the user for the proxy is adm_pilp, the domain is ludochur.ch, the connection method is NTLM so i had to use LUDOCHUR\adm_pi, the structure is the following (each tab is for a subfolder)

LUDOCHUR
USER
USR
ADM

The Active Directory Server has the ip x.x.x.2
The PrivacyIDEA has the IP x.x.x.4
The PrivacyIDEA LDAP Proxy is on the same server

How i have now to configure the proxy.ini file that the connection works?

Greating, calgia


#5

Hi calgia,

please have a look at the commented example proxy config here. In your case, the AD would be the LDAP backend, which is configured in the [ldap-backend] section. The proxy service account needs to be configured in the [service-account]. I think you can use the dn = "domain\username" syntax here.

Do you also want to use the domain\username syntax for binds against the LDAP proxy? If yes, I think you have to use the match strategy to map incoming bind DNs to privacyIDEA user names. Something like

[user-mapping]
strategy = match
pattern = "(?i)domain\\(.+)"

should work. This would convert an incoming bind DN like domain\someuser to the privacyIDEA username someuser.

Best Wishes

Friedrich


#7

Hello

I have now configured that all works. the only what dosen’t works is the ldap search. i’ve got the message that 0 users are found…

what i’ve made vrong?

greatings, calgia


#8

Hi calgia,

nice to hear you got it running. You should have a look at the LDAP proxy log. If you are running it via systemd, you can use journalctl -b -u privacyidea-ldap-proxy.service. Does ldapsearch give any output in addition to that? What user are you using in the ldapsearch call? I would guess that either the base DN passed to ldapsearch is wrong, or the user does not have the permissions to perform searches.

Best Wishes

Friedrich


#9

your comand giv a – no entries –

i’ve see a proxi.ini in privacyidea-ldap-proxy/develop/ubuntu-config
but no config.ini. i’ve configured that like the following:

[privacyidea]
instance = 10…0.0.2

[ldap-backend]
endpoint = 10.0.0.2 tcp:host=10.0.0.2:port=389
use-tls = false

[service-account]
dn = “cn=PRIVACY IDEA LDAP Proxy,ou=adm,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”
password = xxx$xxxx

[ldap-proxy]
endpoint = tcp:port=1389
passtrought-binds = “cn=PRIVACY IDEA LDAP Proxy,ou=admin,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”,“cn=PRIVACY IDEA,ou=adm,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”
bind-service-account = false
allow-search = false
allow-connection-reuse = false
ignore-search-result-references = false
forward-anonym-bind = false

[user-mapping]
strategy = match
pattern = “cn([^,]+),ou=usr,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”

da ich nun gecheckt habe wie der den usernamen in diesem format haben will habe ich den entsprechend eingerichtet.

User username
admin_pi PRIVACY IDEA
admin_pilp PRIVACY IDEA LDAP Proxy

other changes i’ve dont made.

the test-skript is allways positive and world 100%.
When i’ve start the Proxy by using the Command i’ve got just the normal words, but for me not really clear if he now has start’s the proxy or not.

thank you for your help!

calgia


#10

your comand giv a – no entries –

i’ve see a proxi.ini in privacyidea-ldap-proxy/develop/ubuntu-config
but no config.ini. i’ve configured that like the following:

[privacyidea]
instance = 10…0.0.2

[ldap-backend]
endpoint = 10.0.0.2 tcp:host=10.0.0.2:port=389
use-tls = false

[service-account]
dn = “cn=PRIVACY IDEA LDAP Proxy,ou=adm,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”
password = xxx$xxxx

[ldap-proxy]
endpoint = tcp:port=1389
passtrought-binds = “cn=PRIVACY IDEA LDAP Proxy,ou=admin,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”,“cn=PRIVACY IDEA,ou=adm,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”
bind-service-account = false
allow-search = false
allow-connection-reuse = false
ignore-search-result-references = false
forward-anonym-bind = false

[user-mapping]
strategy = match
pattern = “cn([^,]+),ou=usr,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”

da ich nun gecheckt habe wie der den usernamen in diesem format haben will habe ich den entsprechend eingerichtet.

User username
admin_pi PRIVACY IDEA
admin_pilp PRIVACY IDEA LDAP Proxy

other changes i’ve dont made.

the test-skript is allways positive and world 100%.
When i’ve start the Proxy by using the Command i’ve got just the normal words, but for me not really clear if he now has start’s the proxy or not.

thank you for your help!

calgia


#11

Hi calgia,

are these the actual contents of the proxy.ini? If yes, there may be problems due to some typos, e.g. the instance option has some extra dots, and there is a passtrought-binds instead of passthrough-binds. The endpoint setting in [ldap-backend] looks incorrect as well.

In order to have LDAP search requests forwarded to the LDAP backend, you need to set allow-search to true.

I’m not sure how you’re starting the LDAP proxy – are you using the twistd -n ldap-proxy -c proxy.ini command? If yes, you should get some helpful logging on stdout.

Best Regards

Friedrich