[Freeipa-users] Using Privacyidea with FreeIPA - use IPA as userstore

Jochen Hein jochen at jochen.org
Wed Dec 28 13:09:14 UTC 2016


Jochen Hein <jochen at jochen.org> writes:

> [ This mail sets the stage for more parts, which will get into technical
> details. Comments or suggestions are welcome, possibly we should add
> refined texts in the relevant wikis/documentations. - Jochen ]

== Use IPA as our userstore in privacyidea ==

First we need an LDAP user to access the userstore. Store the
following in the file privacyidea-fetch.ldif on you IPA server:

dn: uid=privacyidea-fetch,cn=sysaccounts,cn=etc,dc=example,dc=org
changetype: add
objectclass: account
objectclass: simplesecurityobject
objectclass: top
uid: privacyidea-fetch
userPassword: <top-secret-password>
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

Add the user to FreeIPAs 389-dirsrv [TODO: verify command]:

ldapadd -Y GSSAPI -f privacyidea-fetch.ldif

Define your LDAP resolver in Privacyidea as follows:

Server-URI: ldaps://<ipa>.example.org
Base-DN:    cn=users,cn=accounts,dc=example,dc=org
Bind-DN:    uid=privacyidea-fetch,cn=sysaccounts,cn=etc,dc=example,dc=org
Bind-Type:  simple

Loginname Attribute:	uid
Search Filter:		(uid=*)(objectClass=inetorgperson)
User Filter:		(&(uid=%s)(objectClass=inetOrgPerson))
Attribute Mapping:	{ "username": "uid", "phone" : "telephoneNumber",
	  		"mobile" : "mobile", "email" : "mail",
			"surname" : "sn", "givenname" : "givenName",
			"description" : "gecos" }
UID Type:		ipaUniqueID

TODO:
Discuss options for UID Type. What should we recommend?
DN seems to work. Changing is a bad idea, because it invalidates the
token assignment to users.

ipaUniqueID has:

[2016-12-23
19:38:47,509][30665][140606770149120][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:211]
failed to check password for
u'1c2ec066-648e-11e5-84ca-525400fe9f35'/u'uid=jochen,cn=users,cn=accounts,dc=jochen,dc=org':
Exception('Wrong credentials',)

TODO: when saving the resolver in privacyidea:
[2016-12-23
21:07:18,437][30665][140606770149120][WARNING][privacyidea.lib.resolver:130]
the passed key u'CACHE_TIMEOUT' is not a parameter for the resolver
u'ldapresolver'

Wishlist: Use SRV records from DNS to find the LDAP servers.

-- 
The only problem with troubleshooting is that the trouble shoots back.




More information about the Freeipa-users mailing list