If you can not attend or if you want to try this at home afterwards, here is what we will do!

Setup

10.0.2.201 ucs.tuebix.intranet (LDAP) Univention Corporate Server 4.2
10.0.2.202 privacyidea.tuebix.intranet, Ubuntu 16.04 LTS
10.0.2.203 wordpress.tuebix.intranet, Ubuntu 16.04 LTS with latest wordpress
10.0.2.204 owncloud.tuebix.intranet, Ubuntu 16.04 LTS with ownCloud 10

LDAP

BaseDN: cn=users,dc=tuebix,dc=intranet

The UCS has the following users:

• admininistrator
• user1
• user2
• user3

ownCloud

ownCloud is connected via LDAP, so the LDAP users can connect to ownCloud.

The ownCloud Administrator is called: admin

WordPress

WordPress only has internal users. Nevertheless the user are also called:

• administrator
• user1
• user2
• user3

What we will do – our Agenda

• We will install privacyIDEA and connect privacyIDEA to the UCS, so that privacyIDEA knows the users from the LDAP directory
• Then we will enroll different kind of tokens to the users.
  • The administrator can enroll a token for the users but
  • users can also login to the webui with their LDAP password an enroll a token for themselves.
• Then we start connecting applications to privacyIDEA to add 2FA to the applications
  • WordPress with “strong authentication” plugin
  • ownCloud with the “privacyIDEA ownCloud App” from the market place
  • SSH login with 2FA for users user1, user2, user3

privacyIDEA

Install

privacyIDEA can be installed in many different ways on different Linux distributions. We will install privacyIDEA on our Ubuntu 16.04 machine 10.0.2.202.

As root:

add-apt-repository ppa:privacyidea/privacyidea

apt update

apt install privacyidea-apache2

privacyidea-apache2 is a meta package which will install MySQL, Apache and set up privacyIDEA. Finally we only need to create the first token administrator.

pi-manage add admin super

Now we have an administrator called “super”

Configure

privacyIDEA can be configured via command line, API or the web UI.

https://10.0.2.202

We need to configure the Resolver tuebix_users as Active Directory. For this we need to fetch the certificate of the UCS server.

• LDAP Resolver to ldaps://ucs.tuebix.intranet
• Base DN cn=users,dc=tuebix,dc=intranet
• Bind DN cn=administrator,cn=users,dc=tuebix,dc=intranet
• Preset AD

And a Realm tuebix with the resolver tuebix_users.

We can also take a look at the policies and configure a policy to use otppin=userstore.

Enroll tokens

Enroll tokens as administrator and as normal user…

• Enroll Smartphone App
• Yubikey
• U2F Token
• Feitian C200 (import File Feitian.csv)

ownCloud with 2FA

For ownCloud X we login as administrator and install the “privacyIDEA ownCloud App” from the Marketplace.

We need to configure the App against privacyIDEA:

• https://privacyidea.tuebix.intranet
• no realm
• no ssl check

Note: The privacyIDEA ownCloud App will authenticate all users with a 2nd factor!

After this, users need to present a 2nd factor against privacyIDEA when they log in.

WordPress with 2FA

Install the “strong authentication” plugin.

We need to configure the Plugin against privacyIDEA:

• https://privacyidea.tuebix.intranet…

Note: Users need to enter both factors in the password field at the same time.

The WordPress plugin authenticates users only against privacyIDEA; while with ownCloud users are authenticated by ownCloud and by privacyIDEA.

SSH with 2FA

On either owncloud machine or wordpress machine we install the privacyIDEA PAM module:

add-apt-repository ppa:privacyidea/privacyidea

apt update

apt install privacyidea-pam

…and configure it accordingly against https://privacyidea.tuebix.intranet.

Note: Users need to match!

privacyIDEA LDAP Proxy

Bonus!

privacyIDEA relies on the Python module ldap3, which is a great module to connect to LDAP and also do redundancy via a server pool and strategies like round robin.

Your pip installation might have updated the ldap3 module to version 2.x, which was not completely compatible with privacyIDEA anymore. This resulted in errors like pending timeouts and users which would not be fetch with the uidtype objectGUID (with Active Directory) anymore.

Thus you either should run

pip install ldap3==1.4.0

to downgrade the ldap3 module to version 1.4.0.

But I recommend to update privacyIDEA to version 2.16.1 and running ldap3 2.1.x.

Updating an Ubuntu installation from launchpad works out of the box. When updating a pip installation, please note that a new database table was added.

OTP system migration

privacyIDEA now helps you to migrate an old 3rd party installation to privacyIDEA. To do so the new RADIUS passthru policy was added. privacyIDEA can pass all authentication requests for users without a token to the defined RADIUS server. This way you can migrate tokens smoothly and run your old system and your new privacyIDEA side by side until you have removed all old tokens or moved all users and tokens to privacyIDEA.

LDAP Improvements

The LDAP received some nice improvements. It can now handle special characters like é and ß in the username and the password reliably. With Active Directory in Windows 2012 you can now use the objectGUID as the UID in the LDAP resolver.

We now use paged searched when retrieving user lists. This way you can get really all users in the LDAP directory.

Changelog

You can find a complete changelog at github.