privacyIDEA to Active Directory Integration


#1

HI Guys,

Just wanted to ask you experts if you have any “HowTo’s” or a step by step guide on allowing privacyIDEA to work with Active Directory and how can I obtain the privacyidea credential provider?

Appreciate your help on this one.


#2

“Work with Active Directory” is not very precise.

The most common way is, that users are read from AD. For this you will need to create an LDAP resolver to Active Directory. Check https://privacyidea.readthedocs.io for how to configure LDAP resolvers.

Active Directory is a Kerberos Service. Kerberos can not work out of the box with one time passwords. (I once gave a German talk about that - can be found on youtube).
This is why there is the Credential Provider, which adds the OTP to the Windows Password.
The user needs to enter his AD password (which is used for kerberos auth and getting the TGT) and in addition he has to enter the OTP, which is verified by privacyIDEA.

Our company NetKnighs provides the credential provider with a service level agreement on top of the SLA for privacyIDEA itself.
However, everybody is free to compile and run the credential provider code, which can be found at github under an open source license.

Hope this helps to clarify things and to understand what is for free and what is not.
Kind regards
Cornelius