Using Privacyidea with FreeIPA - use IPA as userstore

Jochen Hein <@Jochen_Hein> writes:

[ This mail sets the stage for more parts, which will get into technical
details. Comments or suggestions are welcome, possibly we should add
refined texts in the relevant wikis/documentations. - Jochen ]

== Use IPA as our userstore in privacyidea ==

First we need an LDAP user to access the userstore. Store the
following in the file privacyidea-fetch.ldif on you IPA server:

dn: uid=privacyidea-fetch,cn=sysaccounts,cn=etc,dc=example,dc=org
changetype: add
objectclass: account
objectclass: simplesecurityobject
objectclass: top
uid: privacyidea-fetch
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

Add the user to FreeIPAs 389-dirsrv [TODO: verify command]:

ldapadd -Y GSSAPI -f privacyidea-fetch.ldif

Define your LDAP resolver in Privacyidea as follows:

Server-URI: ldaps://
Base-DN: cn=users,cn=accounts,dc=example,dc=org
Bind-DN: uid=privacyidea-fetch,cn=sysaccounts,cn=etc,dc=example,dc=org
Bind-Type: simple

Loginname Attribute: uid
Search Filter: (uid=*)(objectClass=inetorgperson)
User Filter: (&(uid=%s)(objectClass=inetOrgPerson))
Attribute Mapping: { “username”: “uid”, “phone” : “telephoneNumber”,
“mobile” : “mobile”, “email” : “mail”,
“surname” : “sn”, “givenname” : “givenName”,
“description” : “gecos” }
UID Type: ipaUniqueID

Discuss options for UID Type. What should we recommend?
DN seems to work. Changing is a bad idea, because it invalidates the
token assignment to users.

ipaUniqueID has:

failed to check password for
Exception(‘Wrong credentials’,)

TODO: when saving the resolver in privacyidea:
the passed key u’CACHE_TIMEOUT’ is not a parameter for the resolver

Wishlist: Use SRV records from DNS to find the LDAP servers.–
The only problem with troubleshooting is that the trouble shoots back.