ldap user otp

[blue90...@gmail.com]

Hi,

I am running privacyidea 2.5dev2 on ubuntu 14.04.

I am able to authenticate on a client using otp for the local users but not with ldap users.

I can log in to the client with ldap username/password. I am not sure what else i need to configure for it to accept otp pin.

I would appreciate your help on this.

Below is my pam configuration.

common-auth

-----------------

auth    sufficient      pam_python.so  /opt/privacyidea_pam.py  url=https://OTP-HOST prompt=PRIVACYIDEA_Authentication nosslverify

auth [success=2 default=ignore] pam_unix.so nullok_secure

auth [success=1 default=ignore] pam_sss.so use_first_pass

auth requisite pam_deny.so

auth required pam_permit.so

auth optional pam_cap.so

sshd

------------------------------------------------

@include common-auth

account    required     pam_nologin.so

@include common-account

session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close

session    required     pam_loginuid.so

session    optional     pam_keyinit.so force revoke

@include common-session

session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate

session    required     pam_limits.so

session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale

session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open

@include common-password

below is the error message that i see on the logs. 

Jul 14 13:15:07 otp2 sshd: requests > 1.0

Jul 14 13:15:07 otp2 sshd: privacyidea_pam: ERR905: The user can not be found in any resolver in this realm!

Jul 14 13:15:07 otp2 sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.6.6  user=otp

Jul 14 13:15:08 otp2 sshd: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.6.6 user=otp

Jul 14 13:15:08 otp2 sshd: pam_sss(sshd:auth): received for user otp: 17 (Failure setting user credentials)

Jul 14 13:15:10 otp2 sshd[11317]: Failed password for otp from 10.10.6.6 port 60748 ssh2

Thanks,

[Cornelius Kölbel]

Let's get things straight:

You can login (via SSH/PAM???????????????????????????????????????????)
with an LDAP user to a linux machine BEFORE using privacyIDEA? Right?

As soon as you configure privacyIDEA, you can login with a local user,
but not with an LDAP user?

First step!
Forget about PAM!

Check if you can authenticate with the user against privacyidea
directly.

Local User AND LDAP USER.

Call
https://privacyideaserver/validate/check?user=<username>&pass=<otppin-otpvalue>



Kind regards
Cornelius

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/1315a01f-b2a0-4584-b2d7-1ce11365bb1a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[blue90...@gmail.com]

Thanks for your quick reply.

below is what i have tried.

ssh to the linux machine with local userid/privacyidea_pin - works

ssh to the linux machine with ldap userid/privacyidea_pin - does not work.

ssh to linux machine with ldap_username/ldap_passwd - works

this is what i see with 

Call 
https://privacyideaserver/validate/check?user=<username>&pass=<otppin-otpvalue> 

localuser

------------

{
  "detail": {
    "message": "matching 1 tokens",
    "serial": "OATH00006BE8",
    "type": "hotp"
  },
  "id": 1,
  "jsonrpc": "2.0",
  "result": {
    "status": true,
    "value": true
  },
  "version": "privacyIDEA 2.5dev2",
  "versionnumber": "2.5dev2"

ldap user

-----------

{
  "id": 1,
  "jsonrpc": "2.0",
  "result": {
    "error": {
      "code": -500,
      "message": "ERR905: The user can not be found in any resolver in this realm!"
    },
    "status": false
  },
  "version": "privacyIDEA 2.5dev2"
}

I have created a resolver for ldap and able to assign the token to the ldap users on privacyidea.

Here is how i configured the client for otp https://www.youtube.com/watch?v=tNoHzrajtcg&t=3m42s

[Cornelius Kölbel]

HI bluewaters,

again. Forget about PAM for a while.

>
> Call
> https://privacyideaserver/validate/check?user=<username>&pass=<otppin-otpvalue>
>

> ldap user
> -----------
> {
> "id": 1,
> "jsonrpc": "2.0",
> "result": {
> "error": {
> "code": -500,
> "message": "ERR905: The user can not be found in any resolver in this realm!"
> },
> "status": false
> },
> "version": "privacyIDEA 2.5dev2"
> }
>

This indicates, that you your LDAP user can not authenticate. I.e. the
underlying mechanism will not work, so we do not need to talk about PAM.
We first have to fix this!

How many realms did you define?
Did you put the LDAP resolver in a new realm?

Then the ldap user will not be in the default realm.
Please put the ldap resolver into the same realm like the
passwdresolver.

And check the URL again!

Kind regards
Cornelius

[blue90...@gmail.com]

Ah!!! that worked like a charm once i placed the ldap resolver in the default realm.

Appreciate your quick reply for resolving this.

Thank you very much Cornelius.

[Cornelius Kölbel]

Hi,
I assume, that you are also able to authenticate with the LDAP user at
PAM.

When authenticating, the system searches the user in the "default"
realm.
You might want to read a bit more about realms:
http://privacyidea.readthedocs.org/en/latest/configuration/realms.html

Kind regards
Cornelius

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/9db5b6e3-f0ff-46c2-95ba-0ae78c68c1e7%40googlegroups.com.

[blue90...@gmail.com]

Yes. I am able to auth a ldap user too. I will go through the docs on the link.

I will test this on the CentOS 7 too. Is it any different authenticating on CentOS?  

I did not find an libpam-python rpm though.

-Thanks 

[Cornelius Kölbel]

Am Dienstag, den 14.07.2015, 14:31 -0700 schrieb blue90...@gmail.com:
> Yes. I am able to auth a ldap user too. I will go through the docs on
> the link.
> I will test this on the CentOS 7 too. Is it any different
> authenticating on CentOS?
> I did not find an libpam-python rpm though.

Yes. It looks like, there is no pam_python package, even in epel.
So get your gcc ready.
Or should I build a package for you?

Kind regards
Cornelius

> https://groups.google.com/d/msgid/privacyidea/40649cd6-d6df-4ecb-b886-2a3a6bf75c36%40googlegroups.com.

[blue90...@gmail.com]

I have downloaded the http://pam-python.sourceforge.net/ and it compiles with few warning messages.

I would appreciate if you can build the package.

Thanks,