LDAP + OTP

[Alan DeKok]

On Jun 7, 2024, at 8:40 AM, Jon Gerdes <gerdesj at blueloop.net> wrote:
> Thank you for your response.  Here is the full debug output.  I've only obfuscated my AD password, everything else is a copy/paste from my terminal.  The PIN
> that I entered is the correct one.  PrivacyIdea returns wrong otp pin but I think that is because I am passing through "State" to it.  I'll see if I can get a
> log at the PI end to see what it receives as a PIN.

  If PrivacyIdeas is rejecting the user, then you need to look at the logs there.  You can't debug PrivacyIdea by looking at the FreeRADIUS logs.

> If I remove the LDAP related stuff and do just the Auth-Type perl part, it works fine.  ie I enter my username and the PIN as the password and the push token
> works and I am granted access.  Also, if I remove the PI related parts and just do the LDAP, that works too.

  Then read the FreeRADIUS debug output to see what the differences are between the working case, and non-working case.

  You have a working situation, and a non-working situation.  The difference is likely what's causing the problems.  So, make the non-working situation more similar to the working one, and it should work.

  If the PrivacyIdea Perl module is getting upset about State (why?  That's stupid) then just delete the State attribute from the Perl hash.  i.e. edit the Perl code to remove anything which might make PrivacyIdea go crazy.

  Alan DeKok.