[Freeipa-users] Using Privacyidea with FreeIPA - use IPA as userstore

Wed, 28 Dec 2016 05:16:43 -0800 

Jochen Hein <joc...@jochen.org> writes:

> [ This mail sets the stage for more parts, which will get into technical
> details. Comments or suggestions are welcome, possibly we should add
> refined texts in the relevant wikis/documentations. - Jochen ]

== Use IPA as our userstore in privacyidea ==

First we need an LDAP user to access the userstore. Store the
following in the file privacyidea-fetch.ldif on you IPA server:

dn: uid=privacyidea-fetch,cn=sysaccounts,cn=etc,dc=example,dc=org
changetype: add
objectclass: account
objectclass: simplesecurityobject
objectclass: top
uid: privacyidea-fetch
userPassword: <top-secret-password>
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

Add the user to FreeIPAs 389-dirsrv [TODO: verify command]:

ldapadd -Y GSSAPI -f privacyidea-fetch.ldif

Define your LDAP resolver in Privacyidea as follows:

Server-URI: ldaps://<ipa>.example.org
Base-DN:    cn=users,cn=accounts,dc=example,dc=org
Bind-DN:    uid=privacyidea-fetch,cn=sysaccounts,cn=etc,dc=example,dc=org
Bind-Type:  simple

Loginname Attribute:    uid
Search Filter:          (uid=*)(objectClass=inetorgperson)
User Filter:            (&(uid=%s)(objectClass=inetOrgPerson))
Attribute Mapping:      { "username": "uid", "phone" : "telephoneNumber",
                        "mobile" : "mobile", "email" : "mail",
                        "surname" : "sn", "givenname" : "givenName",
                        "description" : "gecos" }
UID Type:               ipaUniqueID

TODO:
Discuss options for UID Type. What should we recommend?
DN seems to work. Changing is a bad idea, because it invalidates the
token assignment to users.

ipaUniqueID has:

[2016-12-23
19:38:47,509][30665][140606770149120][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:211]
failed to check password for
u'1c2ec066-648e-11e5-84ca-525400fe9f35'/u'uid=jochen,cn=users,cn=accounts,dc=jochen,dc=org':
Exception('Wrong credentials',)

TODO: when saving the resolver in privacyidea:
[2016-12-23
21:07:18,437][30665][140606770149120][WARNING][privacyidea.lib.resolver:130]
the passed key u'CACHE_TIMEOUT' is not a parameter for the resolver
u'ldapresolver'

Wishlist: Use SRV records from DNS to find the LDAP servers.

-- 
The only problem with troubleshooting is that the trouble shoots back.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to