I have a Problem authenticate users against active directory. We use LDAP to connect active directoy and the otppin is set to userstore. Normaly everything works fine and es expected. Only if the user provides a wrong password, the account get lock very fast because privacy idea tries to connect two times to AD
In the log:
[2020-04-02 13:35:08,098][55246][140400622737152][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:354] failed to check password for u’beceef53-46e8-4df3-b606-cb949458dcf7’/u’CN=Test User,OU=Test,OU=Accounts,OU=DUS,DC=CF,DC=de’: Exception(‘Wrong credentials’,)
[2020-04-02 13:35:08,107][55246][140400622737152][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:354] failed to check password for u’beceef53-46e8-4df3-b606-cb949458dcf7’/u’CN=Test User,OU=Test,OU=Accounts,OU=DUS,DC=CF,DC=de’: LDAPPasswordIsMandatoryError(‘password is mandatory in simple bind’,)
Hello @cuf
welcome to the community. I am looking forward to you getting a helpful member of the community.
This very much depends on your settings and setup.
Often RADIUS is a beast, since it does round robin an retries. Retries can be evil - like looking the account quickly.
thank you for your quick answer. What I can’t understand is why the error on first attemp is
(‘Wrong credentials’,)
and on the second
LDAPPasswordIsMandatoryError(‘password is mandatory in simple bind’,)
we have similar problem in our setup and I found this topic. Users have only one token and when user enters wrong password then Privacyidea tries to authenticate twice against AD. If I increased logging level to debug then I saw that first time it found my username and tried to authenticate
User ‘markko’ from realm ‘realm’ tries to authenticate
Then it got error because of wrong password
failed to check password for …: Exception(‘Wrong credentials’,)
user User(login=‘markko’, realm=‘realm’, resolver='realm-users…failed to authenticate.
Exiting check_password with result None
And then went on
Splitting the an OTP value of length 6 from the password.
Entering get_from_config with arguments () and keywords {‘key’: ‘PrependPin’, ‘default’: False, ‘return_bool’: True}
Exiting get_from_config with result True
PIN prepended. PIN length is 3, OTP length is 3.
Entering match_policies with arguments …
…
User ‘markko’ from realm ‘realm’ tries to authenticate
and there it is, another try to authenticate. If user gives correct password then there is only one try. Problem is not radius and policy for authentication is “{ “challenge_response”: “totp”, “otppin”: “userstore” }”. Any idea why it tries to authenticate the second time and can we tweak configuration somewhere to avoid that?
@cornelinux , what do you mean “I did not specify both log messages”? There are two places where privacyidea tries to authenticated my user and lines from log file are both - User ‘markko’ from realm ‘realm’ tries to authenticate
and right after that it gets wrong password error. I did not put the second error here because it is the same.
I can also provide more information about the configuration if that is relevant but I don’t know right now what part of it may be relevant. All I see in log file is that if user gives right password then all is ok. If not then privacyidea tries to authenticate user twice for some reason.
The reason for double authentication is known, privacyidea just works in that way. If it can’t authenticate at first time then it assumes that user did not give just a password but password and OTP together, removes last 6 symbols and tries to authenticate again. And you get 2 failed authentication attempts for one try.
When reading documentation I did not found anywhere that this behaviour is configurable. Maybe someone can consider making it so.
Yes, it is configured there but I don’t see any options there to configure it in that way where privacyidea tries to authenticates user from AD and if it gets error back then it simply asks password again. We use authentication policy “{ “challenge_response”: “totp”, “otppin”: “userstore” }” and as I understand userstore part means that privacyidea expects that user passes his domain password together with the OTP value. What would be preferable is situation where privacyidea expects only domain password from user and verifies only password without expecting anything else. And only after successful password verification it goes and asks OTP value. If there is such option and I am just unable to understand what is written in documentation then can you point out more specifically what policy we should use to achieve such result.
Half yes. It means that the userstore password is interpreted as OTP PIN, the static value.
Depending on the authentication flow this can be:
Variant A:
step: AD-PW + OTP
or
Variant B:
step: AD-PW
step: OTP
As you configured challenge_response: totp, this means that a TOTP token (which usually works in variant A, see above) may also in addition be used in variant B.
Thus it checks the AD password once for variant A and once for variant B, since privacyIDEA can not know, what the user is doing.
This would be variant B, but you can not turn off variant A!
Or you have to implement this in your application.
e.g. a lot of VPNs work this way, that they first can be configured to verify the user against LDAP (no privacyIDEA) and then authenticate the user via RADIUS (with privacyIDEA and in this case otppin=None).