Using kolab/389-ds with privacyidea as userstore

Question
1

Hi,

I’m using kolab as my local mailserver for a single domain, so I already
have a userstore in LDAP. It was easy to add that LDAP server into
privacy - just create a LDAP resolver, press “Preset OpenLDAP”. Things
to note:

  • Base DN: I used ou=People,dc=example,dc=com

  • UID Type: 389-ds doesn’t have entryUUID, so I used DN. According to
    https://bugzilla.redhat.com/show_bug.cgi?id=220222 one might use
    nsUniqueId, but I didn’t like seeing ‘random numbers’ as identifiers.

After that I have my LDAP users available in privacyidea. Maybe it’s
interesting for other users to have this documented somewhere.

If you try to use UID Type ‘entryUUID’ with 389-ds a resolver test works
fine (it find’s the correct users), but when I try to assign a token I get
"ERR905: The user can not be found in any resolver in this realm!".
It might be useful to have the resolver test warn if all ID fields are
empty.

[I run Ubuntu 14.04 with the packages from http://ppa.launchpad.net/privacyidea/privacyidea/ubuntu]

Another buglet I just saw when reading the documentation at
http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.html#ldap-resolver,----
| … note:: When using bind type “Simple” you need to specify the Bind DN like
| cn=administrator,cn=users,dc=domain,dc=name. When using bind type “NTLM”
| you need to specify Bind DN like DOMAINNAME\username.
`----

In the rendered page we see only DOMAINNAMusername. I guess we neet
DOMAINNAME\username here.

Jochen

PS: thanks for your workshop @Froscon - it got me to think about 2FA and
trying different uses for it.

The only problem with troubleshooting is that the trouble shoots back.

2

Hallo Cornelius,

If you like to, you can add an issue at github for the
UID-Type-checking.

Filed as error enrolling token is entryUUID is empty in ldapresolver · Issue #183 · privacyidea/privacyidea · GitHub.

Jochen–
The only problem with troubleshooting is that the trouble shoots back.

3

Hello Jochen,

thanks a lot for the feedback.

If you like to, you can add an issue at github for the
UID-Type-checking.

Kind regards
CorneliusAm Montag, den 31.08.2015, 21:59 +0200 schrieb Jochen Hein:

Hi,

I’m using kolab as my local mailserver for a single domain, so I already
have a userstore in LDAP. It was easy to add that LDAP server into
privacy - just create a LDAP resolver, press “Preset OpenLDAP”. Things
to note:

  • Base DN: I used ou=People,dc=example,dc=com

  • UID Type: 389-ds doesn’t have entryUUID, so I used DN. According to
    Bug Access Denied one might use
    nsUniqueId, but I didn’t like seeing ‘random numbers’ as identifiers.

After that I have my LDAP users available in privacyidea. Maybe it’s
interesting for other users to have this documented somewhere.

If you try to use UID Type ‘entryUUID’ with 389-ds a resolver test works
fine (it find’s the correct users), but when I try to assign a token I get
“ERR905: The user can not be found in any resolver in this realm!”.
It might be useful to have the resolver test warn if all ID fields are
empty.

[I run Ubuntu 14.04 with the packages from Index of /privacyidea/privacyidea/ubuntu]

Another buglet I just saw when reading the documentation at
5.1. UserIdResolvers — privacyIDEA 3.8 documentation

,----
| … note:: When using bind type “Simple” you need to specify the Bind DN like
| cn=administrator,cn=users,dc=domain,dc=name. When using bind type “NTLM”
| you need to specify Bind DN like DOMAINNAME\username.
`----

In the rendered page we see only DOMAINNAMusername. I guess we neet
DOMAINNAME\username here.

Jochen

PS: thanks for your workshop @Froscon - it got me to think about 2FA and
trying different uses for it.

The only problem with troubleshooting is that the trouble shoots back.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

4

Hi Jochen

maybe using the nsUniqueId attribute would fit as unique identifier
compared to the entryUUID. It has a similar value

dn: uid=dhoffend,ou=People,dc=dotlan,dc=net
nsUniqueId: af9ffb81-595011e3-b49eff70-ffdee3c6–
regards
Daniel

On Tuesday, September 1, 2015 at 1:36:47 PM UTC+2, Jochen Hein wrote:

Hi,

I’m using kolab as my local mailserver for a single domain, so I already
have a userstore in LDAP. It was easy to add that LDAP server into
privacy - just create a LDAP resolver, press “Preset OpenLDAP”. Things
to note:

  • Base DN: I used ou=People,dc=example,dc=com

  • UID Type: 389-ds doesn’t have entryUUID, so I used DN. According to
    Bug Access Denied one might use
    nsUniqueId, but I didn’t like seeing ‘random numbers’ as identifiers.

After that I have my LDAP users available in privacyidea. Maybe it’s
interesting for other users to have this documented somewhere.

If you try to use UID Type ‘entryUUID’ with 389-ds a resolver test works
fine (it find’s the correct users), but when I try to assign a token I get
“ERR905: The user can not be found in any resolver in this realm!”.
It might be useful to have the resolver test warn if all ID fields are
empty.

[I run Ubuntu 14.04 with the packages from Index of /privacyidea/privacyidea/ubuntu]

Another buglet I just saw when reading the documentation at

5.1. UserIdResolvers — privacyIDEA 3.8 documentation

,----
| … note:: When using bind type “Simple” you need to specify the Bind DN
like
| cn=administrator,cn=users,dc=domain,dc=name. When using bind type
“NTLM”
| you need to specify Bind DN like DOMAINNAME\username.
`----

In the rendered page we see only DOMAINNAMusername. I guess we neet
DOMAINNAME\username here.

Jochen

PS: thanks for your workshop @Froscon - it got me to think about 2FA and
trying different uses for it.

The only problem with troubleshooting is that the trouble shoots back.