Hi, we're trying to implement 2FA authentication onto our LDAP for our critical infrastructure including out-of-band management, but we hit a roadblock with iDRAC where it doesn't work as it's trying to reuse the same credentials multiple times (first for login, then for LDAP BIND, even when a dedicated Bind DN credentials are specified).
Is there a way how to make it work without credential reuse or make the second bind not use the credentials of the authenticating user (for example, specifying a search filter)?
LDAP Server we use is FreeIPA with Yubikey OTP.
Things tried:
Here's how the Generic LDAP Configuration and Management is setup with sensitive information replaced with placeholders:
Enable Generic LDAP | Yes |
Use Distinguished Name to Search Group Membership | No |
LDAP Server Address | domain.example.com |
LDAP Server Port | 636 (LDAPS) |
Bind DN | uid=binduser,cn=sysaccounts,cn=etc,dc=domain,dc=example,dc=com |
Update Bind Password | yes |
Bind Password | |
Base DN to Search | cn=compat,dc=domain,dc=example,dc=com |
Attribute of User Login | uid |
Attribute of Group Membership | memberUid |
Search Filter |
Log from testing the LDAP connection with sensitive information replaced with placeholders:
16:34:47 Initiating Directory Services Settings Diagnostics:
16:34:47 trying LDAP server domain.example.com:636
16:34:47 Server Address domain.example.com resolved to 192.168.0.1
16:34:47 connect to 192.168.0.1:636 passed
16:34:47 Connecting to ldaps://[domain.example.com]:636...
16:34:47 Test user authenticated user=uid=ldap_bind,cn=sysaccounts,cn=etc,dc=domain,dc=example,dc=com
host=domain.example.com
16:34:47 Search command:
Bind DN: uid=ldap_bind,cn=sysaccounts,cn=etc,dc=domain,dc=example,dc=com
Scope: subtree
Base DN: cn=compat,dc=domain,dc=example,dc=com
Search filter: (uid=full.name)
Attribute list:
objectClass
memberOf
dn
uid
objectCategory
defaultNamingContext
namingContexts
ldapServiceName
supportedControl
supportedExtension
16:34:47 Connecting to ldaps://[domain.example.com]:636...
16:34:47 Test user authenticated user=uid=full.name,cn=users,cn=compat,dc=domain,dc=example,dc=com host=domain.example.com
###Here's where credentials are reused with the token that's invalid as it was already used for previous login
16:34:47 Connecting to ldaps://[domain.example.com]:636...
16:34:48 ERROR: bind failed: Invalid credentials, (null):
user=uid=full.name,cn=users,cn=compat,dc=domain,dc=example,dc=com host=domain.example.com
Is there a way how to make this work?
Thank you
Thundersteak,
With this question I would suggest calling in to support and working with software support high complexity group, as it is likely going to take access to the systems.