LDAP + OTP

[Jon Gerdes]

On Fri, 2024-06-07 at 09:02 -0400, Alan DeKok wrote:
> On Jun 7, 2024, at 8:40 AM, Jon Gerdes <gerdesj at blueloop.net> wrote:
> > Thank you for your response.  Here is the full debug output.  I've only obfuscated my AD password, everything else is a copy/paste from my terminal.  The
> > PIN
> > that I entered is the correct one.  PrivacyIdea returns wrong otp pin but I think that is because I am passing through "State" to it.  I'll see if I can get
> > a
> > log at the PI end to see what it receives as a PIN.
> 
>   If PrivacyIdeas is rejecting the user, then you need to look at the logs there.  You can't debug PrivacyIdea by looking at the FreeRADIUS logs.
> 
> > If I remove the LDAP related stuff and do just the Auth-Type perl part, it works fine.  ie I enter my username and the PIN as the password and the push
> > token
> > works and I am granted access.  Also, if I remove the PI related parts and just do the LDAP, that works too.
> 
>   Then read the FreeRADIUS debug output to see what the differences are between the working case, and non-working case.
> 
>   You have a working situation, and a non-working situation.  The difference is likely what's causing the problems.  So, make the non-working situation more
> similar to the working one, and it should work.
> 
>   If the PrivacyIdea Perl module is getting upset about State (why?  That's stupid) then just delete the State attribute from the Perl hash.  i.e. edit the
> Perl code to remove anything which might make PrivacyIdea go crazy.
> 
>   Alan DeKok.


Alan

Thanks again for your thoughts.

I have yet to dig much deeper into why this is necessary but I amended the Perl script that talks to PrivacyIdea:

(line 406) - $RAD_REQUEST{'State'} ="";

... and it works fine.  I now need to get to grips with the filter module and perhaps file a bug with PrivacyIdea.

Cheers
Jon