PrivacyIDEA LDAP-Proxy

ldap

#1

DE:
Guten Tag

Ich benötige Unterstützung bei der Installation des LDAP-Proxy’s für PrivacyIDEA. WIe miss ich vorgehen, damit dieser am ende Funktioniert?

LG calgia

EN:
Hello

I need assistance by install the ldap-proxy for privacyidea. how i have to do that, that at the end that works?

greatings, calgia


#2

Hello Calgia,

the LDAP proxy is a sophisticated piece of software for very special use cases. It sits in the communication between your application, your ldap directory and privacyIDEA. Thus there is no default howto to do this.
Each application could issue its ldap requests in different ways.

  1. You should understand how your application works in regards to ldap.
  2. You can read the example configuration file. It is well documented.

Kind regards
Cornelius


#3

Hello Cornelius

Thank You for your respond.

With the help of my good collegs from the work it shut work now but i have an other problem, i search the application privacyidea credential provider msi to download (and test) that. giv’s it a way to get the appilication for free to test them?

greating, gian duri (fully first name)


#4

Hi

In the graphic interface is the user admin. The insertet user für the privacyidea is adm_pi, the user for the proxy is adm_pilp, the domain is ludochur.ch, the connection method is NTLM so i had to use LUDOCHUR\adm_pi, the structure is the following (each tab is for a subfolder)

LUDOCHUR
USER
USR
ADM

The Active Directory Server has the ip x.x.x.2
The PrivacyIDEA has the IP x.x.x.4
The PrivacyIDEA LDAP Proxy is on the same server

How i have now to configure the proxy.ini file that the connection works?

Greating, calgia


#5

Hi calgia,

please have a look at the commented example proxy config here. In your case, the AD would be the LDAP backend, which is configured in the [ldap-backend] section. The proxy service account needs to be configured in the [service-account]. I think you can use the dn = "domain\username" syntax here.

Do you also want to use the domain\username syntax for binds against the LDAP proxy? If yes, I think you have to use the match strategy to map incoming bind DNs to privacyIDEA user names. Something like

[user-mapping]
strategy = match
pattern = "(?i)domain\\(.+)"

should work. This would convert an incoming bind DN like domain\someuser to the privacyIDEA username someuser.

Best Wishes

Friedrich


#7

Hello

I have now configured that all works. the only what dosen’t works is the ldap search. i’ve got the message that 0 users are found…

what i’ve made vrong?

greatings, calgia


#8

Hi calgia,

nice to hear you got it running. You should have a look at the LDAP proxy log. If you are running it via systemd, you can use journalctl -b -u privacyidea-ldap-proxy.service. Does ldapsearch give any output in addition to that? What user are you using in the ldapsearch call? I would guess that either the base DN passed to ldapsearch is wrong, or the user does not have the permissions to perform searches.

Best Wishes

Friedrich


#9

your comand giv a – no entries –

i’ve see a proxi.ini in privacyidea-ldap-proxy/develop/ubuntu-config
but no config.ini. i’ve configured that like the following:

[privacyidea]
instance = 10…0.0.2

[ldap-backend]
endpoint = 10.0.0.2 tcp:host=10.0.0.2:port=389
use-tls = false

[service-account]
dn = “cn=PRIVACY IDEA LDAP Proxy,ou=adm,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”
password = xxx$xxxx

[ldap-proxy]
endpoint = tcp:port=1389
passtrought-binds = “cn=PRIVACY IDEA LDAP Proxy,ou=admin,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”,“cn=PRIVACY IDEA,ou=adm,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”
bind-service-account = false
allow-search = false
allow-connection-reuse = false
ignore-search-result-references = false
forward-anonym-bind = false

[user-mapping]
strategy = match
pattern = “cn([^,]+),ou=usr,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”

da ich nun gecheckt habe wie der den usernamen in diesem format haben will habe ich den entsprechend eingerichtet.

User username
admin_pi PRIVACY IDEA
admin_pilp PRIVACY IDEA LDAP Proxy

other changes i’ve dont made.

the test-skript is allways positive and world 100%.
When i’ve start the Proxy by using the Command i’ve got just the normal words, but for me not really clear if he now has start’s the proxy or not.

thank you for your help!

calgia


#10

your comand giv a – no entries –

i’ve see a proxi.ini in privacyidea-ldap-proxy/develop/ubuntu-config
but no config.ini. i’ve configured that like the following:

[privacyidea]
instance = 10…0.0.2

[ldap-backend]
endpoint = 10.0.0.2 tcp:host=10.0.0.2:port=389
use-tls = false

[service-account]
dn = “cn=PRIVACY IDEA LDAP Proxy,ou=adm,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”
password = xxx$xxxx

[ldap-proxy]
endpoint = tcp:port=1389
passtrought-binds = “cn=PRIVACY IDEA LDAP Proxy,ou=admin,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”,“cn=PRIVACY IDEA,ou=adm,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”
bind-service-account = false
allow-search = false
allow-connection-reuse = false
ignore-search-result-references = false
forward-anonym-bind = false

[user-mapping]
strategy = match
pattern = “cn([^,]+),ou=usr,ou=user,ou=LUDOCHUR,dc=ludochur,dc=ch”

da ich nun gecheckt habe wie der den usernamen in diesem format haben will habe ich den entsprechend eingerichtet.

User username
admin_pi PRIVACY IDEA
admin_pilp PRIVACY IDEA LDAP Proxy

other changes i’ve dont made.

the test-skript is allways positive and world 100%.
When i’ve start the Proxy by using the Command i’ve got just the normal words, but for me not really clear if he now has start’s the proxy or not.

thank you for your help!

calgia


#11

Hi calgia,

are these the actual contents of the proxy.ini? If yes, there may be problems due to some typos, e.g. the instance option has some extra dots, and there is a passtrought-binds instead of passthrough-binds. The endpoint setting in [ldap-backend] looks incorrect as well.

In order to have LDAP search requests forwarded to the LDAP backend, you need to set allow-search to true.

I’m not sure how you’re starting the LDAP proxy – are you using the twistd -n ldap-proxy -c proxy.ini command? If yes, you should get some helpful logging on stdout.

Best Regards

Friedrich


#12

Hi Fredreichbier

I’ve now back from the Hollydays. I’ve have checkt all and made the configurations.

The Application looks like it run but he dosen’t find any users in the active directory. when i go to the interface and login with admin and the passsword go to config --> users --> ldapresolver and test them, he say config seems ok but 0 users found.

Thank You for your help!

Greatings, calgia


#13

Hi calgia,

I’m not sure what application you are referring to - do you mean privacyIDEA? If the LDAP resolver config seems ok but it doesn’t find any users, most likely the base DN or the search filter are wrong?

Best Regards

Friedrich


#14

hi friedrich

i start the proxy on my linux and go to the webinterface for privacyidea, to the ldap resolver and test the connection.

then he say that the config is ok but no users found.

greatings, calgia


#15

So your user resolver in privacyIDEA does not work.
This does nothing have to do with the LDAP proxy!
The user resolver does not connect to the LDAP proxy, but to the original LDAP!

[ Application ] ----> [ LDAP Proxy ] —> [ privacyIDEA ] —> [ Original LDAP ]


#16

how i can create the correct resolver, when i go to config – > ldapresolver --> users i can define the ldapresolver. where in the application i have to do that?


#17

Hi calgia,

sorry, I think I don’t really have the correct mental model of your usecase for the LDAP proxy. Am I right to assume you have set up privacyIDEA and you have your users in an Active Directory? You only need the LDAP proxy if you want to integrate an application that uses LDAP for authentication and for which no privacyIDEA plugin exists. What kind of application are you trying to integrate?

Best Regards

Friedrich


#18

Hi, i want import the users from the active directory. In the internet they say i have to use the ldap proxy that this work. so finaly i want import the users from the ldap to configure the two factor authenticaton


#19

Hi Calgia,

forget about the LDAP proxy.

First you need to define an LDAP resolver and create your first realm from this resolver.
Please take a look at this video, where a resolver and a realm is defined:

You are free to choose simple bind instead of ntlm authentication.

Kind regards
Cornelius


#20

Hi Corneliux

The CSS of the Page gone everyware on my computer, no sense witch Internet Browser i’ve use.

I’m now in the education and onby 3 day’s/week at the work… the resolver like i’ts vritten in the video. i’ve just used both, simple AND NTLM and with both he dosen’t show me any users

server URL ldap://10.0.0.2
base dn ou=LUDOCHUR,ou=USER,ou=USR,dc=ludochur,dc=ch
bind dn cn=PRIVACY IDEA,ou=LUDOCHUR,ou=USER,ou=ADM,dc=ludochur,dc=ch

My Active Directory looks like the following:

OU LUDOCHUR
OU DEVICES
OU USERS
OU ADM (all Administratoraccounts, also PrivacyIDEA Users for LDAP and Proxy
OU USR (all User from the Company)

NET-BIOS Domäne = LUDOCHUR
Treedomain (Stammdomne) = ludochur.ch

I hope you can help me… :slight_smile:

Greatings, calgia


#21

Yes, discourse has a little problem here. Asking to fix this…

Is your authentication successful?
Did you speciy the AD attributes?
I would recommend as always to reduce the complexity of a problem! You can reduce complexity here, by using a simpler base dn like dc=ludochur,dc=ch or ou=usr,dc=ludochur,dc=ch.

Kind regards
Cornelius