mySQL + LDAP resolver

47 views
Skip to first unread message

Stefan Steuer

unread,
Apr 29, 2015, 2:48:14 PM4/29/15
to priva...@googlegroups.com
Hi Cornelius,
I use the mysql-resolver for a few months and it works fine! Now I want to add a LDAP-resolver so that the users has to use his password of the active directory AND the OTP.

But it doesn't work :( or is it not possible to auth. against the AD-Password?

Cornelius Kölbel

unread,
Apr 29, 2015, 2:56:22 PM4/29/15
to priva...@googlegroups.com
It is possible.
Did you configure the correct policy?
https://privacyidea.readthedocs.org/en/latest/policies/authentication.html?highlight=otppin#otppin

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/9be2c7f6-0a3c-4923-96ae-aeb10139c860%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc

Stefan Steuer

unread,
Apr 29, 2015, 3:07:46 PM4/29/15
to priva...@googlegroups.com
I hope so ;)

I set the policy as follow: otppin=userstore

I tried to login with the following format:

username (e.g. m.mustermann)
passwordOTP

but also
domain\m.mustermann
passwordOTP

both of them failed.

Is it a problem when the mysql and the LDAP-request the user m.mustermann  ?

Cornelius Kölbel

unread,
Apr 29, 2015, 3:12:18 PM4/29/15
to priva...@googlegroups.com
If two resolvers in a realm contain the same username there is no way to distinguish the user at the moment.
As a matter of fact I just implemented a solution for this, which will come in version 2.3, where you can define priorities for users in resolvers.

But at the moment you should not have a double username in one realm!

So you should put your AD resolver into a second realm, if the usernames are the same.

Kind regards
Cornelius

For more options, visit https://groups.google.com/d/optout.
signature.asc

Stefan Steuer

unread,
Apr 29, 2015, 3:15:04 PM4/29/15
to priva...@googlegroups.com
Sorry for the confusion.

The AD and the SQL-DB contains both the user m.mustermann. For the LDAP and mySQL I've a different realm.

Resolver + Realm + User
OTRS-DB + mysql + m.mustermann
AD + LDAP + m.mustermann


  

Cornelius Kölbel

unread,
Apr 29, 2015, 3:24:13 PM4/29/15
to priva...@googlegroups.com
OK,
try first to check with the OTP PIN.
If this is OK, create the policy for this LDAP-Realm(!) use otppin=userstore.
Please check the log file. (You may increase the debug level) and you should see the bind to the LDAP.
http://privacyidea.readthedocs.org/en/latest/installation/index.html?highlight=debug#running-privacyidea-with-apache2-and-mysql
set PI_LOGLEVEL=10

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
signature.asc

Stefan Steuer

unread,
Apr 29, 2015, 3:31:49 PM4/29/15
to priva...@googlegroups.com
wrong OTP-Pin :(


Log is empty.

Cornelius Kölbel

unread,
Apr 29, 2015, 3:36:21 PM4/29/15
to priva...@googlegroups.com
Which version are you running?

For more options, visit https://groups.google.com/d/optout.
signature.asc

Stefan Steuer

unread,
Apr 29, 2015, 3:38:19 PM4/29/15
to priva...@googlegroups.com
I takes some seconds :D now I've got a log.

[2015-04-29 21:36:45,252][2693][140378552792832][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:106] failed to check password for 'CN=Mustermann\\, Max,OU=Musterabteilung,OU=Musterfirma,DC=Musterdomain,DC=local'/'CN=Mustermann\\, Max,OU=Musterabteilung,OU=Musterfirma,$
[2015-04-29 21:36:45,409][2693][140378452080384][WARNING][privacyidea.lib.config:493] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

Cornelius Kölbel

unread,
Apr 29, 2015, 3:50:07 PM4/29/15
to priva...@googlegroups.com
Does it only happen to users, with a CN=surname, givenname?

For more options, visit https://groups.google.com/d/optout.
signature.asc

Stefan Steuer

unread,
Apr 29, 2015, 3:53:51 PM4/29/15
to priva...@googlegroups.com
I tried it with an other user - same issue.

[2015-04-29 21:52:25,039][2693][140378460473088][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:106] failed to check password for 'CN=Smith\\, John,OU=Blubb,OU=Domain,DC=Firma,DC=local'/'CN=John\\, Smith,OU=Blubb,O$
[2015-04-29 21:52:25,165][2693][140378435294976][WARNING][privacyidea.lib.config:493] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

Cornelius Kölbel

unread,
Apr 29, 2015, 3:54:21 PM4/29/15
to priva...@googlegroups.com


Am 29.04.2015 um 21:38 schrieb Stefan Steuer:
I takes some seconds :D now I've got a log.

[2015-04-29 21:36:45,252][2693][140378552792832][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:106] failed to check password for 'CN=Mustermann\\, Max,OU=Musterabteilung,OU=Musterfirma,DC=Musterdomain,DC=local'/'CN=Mustermann\\, Max,OU=Musterabteilung,OU=Musterfirma,$
Could you please also give the rest of this line  ^


For more options, visit https://groups.google.com/d/optout.
signature.asc

Stefan Steuer

unread,
Apr 29, 2015, 3:56:37 PM4/29/15
to priva...@googlegroups.com
DC=Domain,DC=local': Exception('Wrong credentials',)

I know what this mean - but when I try the PIN+OTP there is no field for the password of the user

Cornelius Kölbel

unread,
Apr 29, 2015, 4:01:42 PM4/29/15
to priva...@googlegroups.com


Am 29.04.2015 um 21:56 schrieb Stefan Steuer:
DC=Domain,DC=local': Exception('Wrong credentials',)

I know what this mean - but when I try the PIN+OTP there is no field for the password of the user
I do not understand?

For more options, visit https://groups.google.com/d/optout.
signature.asc

Stefan Steuer

unread,
Apr 29, 2015, 4:03:28 PM4/29/15
to priva...@googlegroups.com
This error code means that the login-credentials are wrong.

But I didn't enter the credentials - only the PIN+OTP in the backend

Cornelius Kölbel

unread,
Apr 29, 2015, 4:04:39 PM4/29/15
to priva...@googlegroups.com
When you try to authenticate you need to enter

    <AD-Password><OTP>

Then the system will try to authenticate (bind) to the AD with the <AD-Password>
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
signature.asc

Stefan Steuer

unread,
Apr 29, 2015, 4:16:39 PM4/29/15
to priva...@googlegroups.com
I tried it with differents formats...

ad-password+OTP
PIN+OTP

every time I'll get the same issue.

Cornelius Kölbel

unread,
Apr 30, 2015, 2:34:23 AM4/30/15
to priva...@googlegroups.com
I saw, that your DN of the users is:

    CN=Nachname\, Vorname,CN=Users,DC=toplevel,DC=domain

How did you create the users to get the CN=Nachname\, Vorname?
What Windows Version are you running with your domain controller?

Kind regards
Cornelius

For more options, visit https://groups.google.com/d/optout.
signature.asc

Stefan Steuer

unread,
Apr 30, 2015, 9:12:45 AM4/30/15
to priva...@googlegroups.com
Hi Cornelius,
we're using Win2012 for the DC

Cornelius Kölbel

unread,
Apr 30, 2015, 9:36:12 AM4/30/15
to priva...@googlegroups.com
How did you create the user with CN=Nachname, Vorname...

This is important, since I am not sure, if the comma in the CN causes any problem!!!


Am 30.04.2015 um 15:12 schrieb Stefan Steuer:
Hi Cornelius,
we're using Win2012 for the DC
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
signature.asc

Stefan Steuer

unread,
Apr 30, 2015, 10:17:48 AM4/30/15
to priva...@googlegroups.com
Hi Cornelius,
attached you'll find a screenshot.

Cornelius Kölbel

unread,
May 1, 2015, 11:56:20 AM5/1/15
to priva...@googlegroups.com
Hi Stefan,

have you configured the UserIdResolver to use NTLM authentication type?
If so, please switch to "simple" and it should work fine.

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
signature.asc

Stefan Steuer

unread,
May 1, 2015, 12:03:22 PM5/1/15
to priva...@googlegroups.com
Hi Cornelius,
I use already the "simple" bind type

Stefan Steuer

unread,
May 1, 2015, 12:10:22 PM5/1/15
to priva...@googlegroups.com
I think I found the bug.

The issue is that I have - as already described - a SQL and an AD with the same usernames.
And both are configured in PI. Now I enrolled a token with the AD. When I try to login a log entry appears (in the Audit-section) that my Token does not exist in the realm SQL.

Cornelius Kölbel

unread,
May 1, 2015, 12:12:21 PM5/1/15
to priva...@googlegroups.com
Hi Stefan,

I can not reproduce this problem on my site.
If there are no more additional information from the log file, I can not do anything from here.

My initial assumption was, that the system gets confused by the comma in the DN of the user.
Thus I would recommend you check, if it works with a user, who has no comma in the DN.
If this does not produce any new clues and information, it is poking in the dark.

You might think about requesting professional assistance,
where we can do much more like a remote session.
See https://netknights.it/en/leistungen/support/ to get an idea.

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
signature.asc

Stefan Steuer

unread,
May 1, 2015, 12:15:05 PM5/1/15
to priva...@googlegroups.com
I switched the LDAP-realm to the default realm. Now I'll get the old error with the wrong OTP pin - so where you thought that the bug is with the comma in my username

Cornelius Kölbel

unread,
May 1, 2015, 12:19:33 PM5/1/15
to priva...@googlegroups.com
I am very much convinced now, that you have your realm configuration mixed up!



Am 01.05.2015 um 18:15 schrieb Stefan Steuer:
I switched the LDAP-realm to the default realm. Now I'll get the old error with the wrong OTP pin - so where you thought that the bug is with the comma in my username
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
signature.asc

Stefan Steuer

unread,
May 1, 2015, 12:27:35 PM5/1/15
to priva...@googlegroups.com
So I tried it with a user without a comma. Same error.
Just for my information the password+otp has to be merged as following:

mypassword123456

right

Cornelius Kölbel

unread,
May 1, 2015, 12:51:46 PM5/1/15
to priva...@googlegroups.com
Yes. If you configured PrependPin (http://privacyidea.readthedocs.org/en/latest/configuration/system_config.html#settings)
which I assume you did, since SQL works fine.
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
signature.asc

Stefan Steuer

unread,
May 1, 2015, 1:20:08 PM5/1/15
to priva...@googlegroups.com
Okay - I'll look into this.

Now I've got the following situation.
realms: LDAP (default) and mysql

The user: J.Smith is stored in the mysql-db and not in the ldap.

When I try to login with j.smith and the otp and password it will failed - error log: user does not exist in the ldap realm.

Any idea?

Stefan Steuer

unread,
May 4, 2015, 5:09:13 AM5/4/15
to priva...@googlegroups.com
Hi Cornelius,
any ideas regarding my last post? I'm not sure how PI handle this scenario.

Cornelius Kölbel

unread,
May 4, 2015, 1:07:09 PM5/4/15
to priva...@googlegroups.com
Hi Stefan,

you see me totally confused.
I feels like you last post has nothing to do with your original problem!

If you have a new topic, please create a new mail thread with a new subject.

Regarding your question: If there is a user, that is not located in the default realm, you need to add the realm name during authentication.
privacyIDEA will only search for the user in the default realm, if no realm is specified.

Kind regards
Cornelius


Am 04.05.2015 um 11:09 schrieb Stefan Steuer:
Hi Cornelius,
any ideas regarding my last post? I'm not sure how PI handle this scenario.
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
signature.asc
Reply all
Reply to author
Forward
0 new messages