Hi,
I’m using kolab as my local mailserver for a single domain, so I already
have a userstore in LDAP. It was easy to add that LDAP server into
privacy - just create a LDAP resolver, press “Preset OpenLDAP”. Things
to note:
-
Base DN: I used ou=People,dc=example,dc=com
-
UID Type: 389-ds doesn’t have entryUUID, so I used DN. According to
https://bugzilla.redhat.com/show_bug.cgi?id=220222 one might use
nsUniqueId, but I didn’t like seeing ‘random numbers’ as identifiers.
After that I have my LDAP users available in privacyidea. Maybe it’s
interesting for other users to have this documented somewhere.
If you try to use UID Type ‘entryUUID’ with 389-ds a resolver test works
fine (it find’s the correct users), but when I try to assign a token I get
"ERR905: The user can not be found in any resolver in this realm!".
It might be useful to have the resolver test warn if all ID fields are
empty.
[I run Ubuntu 14.04 with the packages from http://ppa.launchpad.net/privacyidea/privacyidea/ubuntu]
Another buglet I just saw when reading the documentation at
http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.html#ldap-resolver,----
| … note:: When using bind type “Simple” you need to specify the Bind DN like
| cn=administrator,cn=users,dc=domain,dc=name. When using bind type “NTLM”
| you need to specify Bind DN like DOMAINNAME\username.
`----
In the rendered page we see only DOMAINNAMusername. I guess we neet
DOMAINNAME\username here.
Jochen
PS: thanks for your workshop @Froscon - it got me to think about 2FA and
trying different uses for it.
The only problem with troubleshooting is that the trouble shoots back.