Replace LDAP with Radius on privacy idea

Hi everyone.

I’m new to Privacy Idea, I have a scenario where I’ve integrated LDAP with Privacy Idea for 2FA. I want to add only specific users from AD to the privacy idea but unfortunately, its pulling all the users (nearly 15k). Is there any option to import only specific OUs, users, or groups from AD while we integrate it with privacy idea.

Moreover can we integrate Radius with privacy idea for 2FA just as LDAP?
Thanks in advance.


You can set an LDAP search filter on your User resolver to only pull specific users/groups. Check this out for syntax and examples configuring a search filter. This is an example filter similar to what I use

(&(objectClass=user)(sn=*)(givenName=*)(mail=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(memberOf=CN=Denied,OU=VPN Groups,DC=contoso,DC=net)))

This only pulls user objects that have a last name, first name, and an email address and the user account is not disabled or a member of the Denied AD group. You can also set a simple one like below that only searches for user objects in a specific group

(&(objectClass=user)(memberOf=CN=2FA Users,DC=contoso,DC=net))

I would also suggest setting a base dn which tells the resolver what OU to look in. If you keep all your user accounts in OU=Users,DC=contoso,DC=net and do not set a base dn, the ldap resolver will search all of AD and pull, for example, service accounts in OU=svc,DC=contoso,DC=net. If you set your base DN to OU=Users,DC=contoso,DC=net, then the ldap resolver starts at that OU and only searches it and it’s sub-OUs.

I know you can setup RADIUS tokens which forward the authentication request to another RADIUS server. If you are wanting to use RADIUS as the user store…maybe setup a Flatfile resolver, though there are limitations associated with doing that.