Jochen Hein <@Jochen_Hein> writes:
[ This mail sets the stage for more parts, which will get into technical
details. Comments or suggestions are welcome, possibly we should add
refined texts in the relevant wikis/documentations. - Jochen ]
== Use IPA as our userstore in privacyidea ==
First we need an LDAP user to access the userstore. Store the
following in the file privacyidea-fetch.ldif on you IPA server:
dn: uid=privacyidea-fetch,cn=sysaccounts,cn=etc,dc=example,dc=org
changetype: add
objectclass: account
objectclass: simplesecurityobject
objectclass: top
uid: privacyidea-fetch
userPassword:
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
Add the user to FreeIPAs 389-dirsrv [TODO: verify command]:
ldapadd -Y GSSAPI -f privacyidea-fetch.ldif
Define your LDAP resolver in Privacyidea as follows:
Server-URI: ldaps://.example.org
Base-DN: cn=users,cn=accounts,dc=example,dc=org
Bind-DN: uid=privacyidea-fetch,cn=sysaccounts,cn=etc,dc=example,dc=org
Bind-Type: simple
Loginname Attribute: uid
Search Filter: (uid=*)(objectClass=inetorgperson)
User Filter: (&(uid=%s)(objectClass=inetOrgPerson))
Attribute Mapping: { “username”: “uid”, “phone” : “telephoneNumber”,
“mobile” : “mobile”, “email” : “mail”,
“surname” : “sn”, “givenname” : “givenName”,
“description” : “gecos” }
UID Type: ipaUniqueID
TODO:
Discuss options for UID Type. What should we recommend?
DN seems to work. Changing is a bad idea, because it invalidates the
token assignment to users.
ipaUniqueID has:
[2016-12-23
19:38:47,509][30665][140606770149120][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:211]
failed to check password for
u’1c2ec066-648e-11e5-84ca-525400fe9f35’/u’uid=jochen,cn=users,cn=accounts,dc=jochen,dc=org’:
Exception(‘Wrong credentials’,)
TODO: when saving the resolver in privacyidea:
[2016-12-23
21:07:18,437][30665][140606770149120][WARNING][privacyidea.lib.resolver:130]
the passed key u’CACHE_TIMEOUT’ is not a parameter for the resolver
u’ldapresolver’
Wishlist: Use SRV records from DNS to find the LDAP servers.–
The only problem with troubleshooting is that the trouble shoots back.