Using kolab/389-ds with privacyidea as userstore

Hi,

I’m using kolab as my local mailserver for a single domain, so I already
have a userstore in LDAP. It was easy to add that LDAP server into
privacy - just create a LDAP resolver, press “Preset OpenLDAP”. Things
to note:

  • Base DN: I used ou=People,dc=example,dc=com

  • UID Type: 389-ds doesn’t have entryUUID, so I used DN. According to
    https://bugzilla.redhat.com/show_bug.cgi?id=220222 one might use
    nsUniqueId, but I didn’t like seeing ‘random numbers’ as identifiers.

After that I have my LDAP users available in privacyidea. Maybe it’s
interesting for other users to have this documented somewhere.

If you try to use UID Type ‘entryUUID’ with 389-ds a resolver test works
fine (it find’s the correct users), but when I try to assign a token I get
"ERR905: The user can not be found in any resolver in this realm!".
It might be useful to have the resolver test warn if all ID fields are
empty.

[I run Ubuntu 14.04 with the packages from http://ppa.launchpad.net/privacyidea/privacyidea/ubuntu]

Another buglet I just saw when reading the documentation at
http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.html#ldap-resolver,----
| … note:: When using bind type “Simple” you need to specify the Bind DN like
| cn=administrator,cn=users,dc=domain,dc=name. When using bind type “NTLM”
| you need to specify Bind DN like DOMAINNAME\username.
`----

In the rendered page we see only DOMAINNAMusername. I guess we neet
DOMAINNAME\username here.

Jochen

PS: thanks for your workshop @Froscon - it got me to think about 2FA and
trying different uses for it.

The only problem with troubleshooting is that the trouble shoots back.

Hallo Cornelius,

If you like to, you can add an issue at github for the
UID-Type-checking.

Filed as https://github.com/privacyidea/privacyidea/issues/183.

Jochen–
The only problem with troubleshooting is that the trouble shoots back.

Hello Jochen,

thanks a lot for the feedback.

If you like to, you can add an issue at github for the
UID-Type-checking.

Kind regards
CorneliusAm Montag, den 31.08.2015, 21:59 +0200 schrieb Jochen Hein:

Hi,

I’m using kolab as my local mailserver for a single domain, so I already
have a userstore in LDAP. It was easy to add that LDAP server into
privacy - just create a LDAP resolver, press “Preset OpenLDAP”. Things
to note:

  • Base DN: I used ou=People,dc=example,dc=com

  • UID Type: 389-ds doesn’t have entryUUID, so I used DN. According to
    https://bugzilla.redhat.com/show_bug.cgi?id=220222 one might use
    nsUniqueId, but I didn’t like seeing ‘random numbers’ as identifiers.

After that I have my LDAP users available in privacyidea. Maybe it’s
interesting for other users to have this documented somewhere.

If you try to use UID Type ‘entryUUID’ with 389-ds a resolver test works
fine (it find’s the correct users), but when I try to assign a token I get
“ERR905: The user can not be found in any resolver in this realm!”.
It might be useful to have the resolver test warn if all ID fields are
empty.

[I run Ubuntu 14.04 with the packages from http://ppa.launchpad.net/privacyidea/privacyidea/ubuntu]

Another buglet I just saw when reading the documentation at
http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.html#ldap-resolver

,----
| … note:: When using bind type “Simple” you need to specify the Bind DN like
| cn=administrator,cn=users,dc=domain,dc=name. When using bind type “NTLM”
| you need to specify Bind DN like DOMAINNAME\username.
`----

In the rendered page we see only DOMAINNAMusername. I guess we neet
DOMAINNAME\username here.

Jochen

PS: thanks for your workshop @Froscon - it got me to think about 2FA and
trying different uses for it.

The only problem with troubleshooting is that the trouble shoots back.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Jochen

maybe using the nsUniqueId attribute would fit as unique identifier
compared to the entryUUID. It has a similar value

dn: uid=dhoffend,ou=People,dc=dotlan,dc=net
nsUniqueId: af9ffb81-595011e3-b49eff70-ffdee3c6–
regards
Daniel

On Tuesday, September 1, 2015 at 1:36:47 PM UTC+2, Jochen Hein wrote:

Hi,

I’m using kolab as my local mailserver for a single domain, so I already
have a userstore in LDAP. It was easy to add that LDAP server into
privacy - just create a LDAP resolver, press “Preset OpenLDAP”. Things
to note:

  • Base DN: I used ou=People,dc=example,dc=com

  • UID Type: 389-ds doesn’t have entryUUID, so I used DN. According to
    https://bugzilla.redhat.com/show_bug.cgi?id=220222 one might use
    nsUniqueId, but I didn’t like seeing ‘random numbers’ as identifiers.

After that I have my LDAP users available in privacyidea. Maybe it’s
interesting for other users to have this documented somewhere.

If you try to use UID Type ‘entryUUID’ with 389-ds a resolver test works
fine (it find’s the correct users), but when I try to assign a token I get
"ERR905: The user can not be found in any resolver in this realm!".
It might be useful to have the resolver test warn if all ID fields are
empty.

[I run Ubuntu 14.04 with the packages from http://ppa.launchpad.net/privacyidea/privacyidea/ubuntu]

Another buglet I just saw when reading the documentation at

http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.html#ldap-resolver

,----
| … note:: When using bind type “Simple” you need to specify the Bind DN
like
| cn=administrator,cn=users,dc=domain,dc=name. When using bind type
"NTLM"
| you need to specify Bind DN like DOMAINNAME\username.
`----

In the rendered page we see only DOMAINNAMusername. I guess we neet
DOMAINNAME\username here.

Jochen

PS: thanks for your workshop @Froscon - it got me to think about 2FA and
trying different uses for it.

The only problem with troubleshooting is that the trouble shoots back.