Jochen Hein <joc...@jochen.org> writes: > [ This mail sets the stage for more parts, which will get into technical > details. Comments or suggestions are welcome, possibly we should add > refined texts in the relevant wikis/documentations. - Jochen ]
== Use IPA as our userstore in privacyidea == First we need an LDAP user to access the userstore. Store the following in the file privacyidea-fetch.ldif on you IPA server: dn: uid=privacyidea-fetch,cn=sysaccounts,cn=etc,dc=example,dc=org changetype: add objectclass: account objectclass: simplesecurityobject objectclass: top uid: privacyidea-fetch userPassword: <top-secret-password> passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 Add the user to FreeIPAs 389-dirsrv [TODO: verify command]: ldapadd -Y GSSAPI -f privacyidea-fetch.ldif Define your LDAP resolver in Privacyidea as follows: Server-URI: ldaps://<ipa>.example.org Base-DN: cn=users,cn=accounts,dc=example,dc=org Bind-DN: uid=privacyidea-fetch,cn=sysaccounts,cn=etc,dc=example,dc=org Bind-Type: simple Loginname Attribute: uid Search Filter: (uid=*)(objectClass=inetorgperson) User Filter: (&(uid=%s)(objectClass=inetOrgPerson)) Attribute Mapping: { "username": "uid", "phone" : "telephoneNumber", "mobile" : "mobile", "email" : "mail", "surname" : "sn", "givenname" : "givenName", "description" : "gecos" } UID Type: ipaUniqueID TODO: Discuss options for UID Type. What should we recommend? DN seems to work. Changing is a bad idea, because it invalidates the token assignment to users. ipaUniqueID has: [2016-12-23 19:38:47,509][30665][140606770149120][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:211] failed to check password for u'1c2ec066-648e-11e5-84ca-525400fe9f35'/u'uid=jochen,cn=users,cn=accounts,dc=jochen,dc=org': Exception('Wrong credentials',) TODO: when saving the resolver in privacyidea: [2016-12-23 21:07:18,437][30665][140606770149120][WARNING][privacyidea.lib.resolver:130] the passed key u'CACHE_TIMEOUT' is not a parameter for the resolver u'ldapresolver' Wishlist: Use SRV records from DNS to find the LDAP servers. -- The only problem with troubleshooting is that the trouble shoots back. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project