AD webui Login not possible

franth · July 15, 2020, 12:54pm

Hi,

Iam having trouble loging in to the Web ui with my AD-Credentials. Here is my Setup:

an LDAP-Resolver which works (Retunrs one User as expected)
a Realm with the name “Admin” with the LDAP-Resolver
in pi.cfg i added Admin to the SUPERUSER_REALM variable
A Policy (with the Helpdesk template) with Admin-Realm set to “admin”

When i try to login with the AD-User i get “Authentication Failed.”

Here is the Corresponding Log:

[2020-07-15 12:36:17,170][320722][139959283669888][DEBUG][privacyidea.lib.policy:531] Policies after matching scope: []
[2020-07-15 12:36:17,170][320722][139959283669888][DEBUG][privacyidea.lib.policy:556] Policies after matching action: []
[2020-07-15 12:36:17,170][320722][139959283669888][DEBUG][privacyidea.lib.policy:556] Policies after matching user: []
[2020-07-15 12:36:17,170][320722][139959283669888][DEBUG][privacyidea.lib.policy:556] Policies after matching realm: []
[2020-07-15 12:36:17,170][320722][139959283669888][DEBUG][privacyidea.lib.policy:591] Policies after matching resolver: []
[2020-07-15 12:36:17,170][320722][139959283669888][DEBUG][privacyidea.lib.policy:603] Policies after matching pinode: []
[2020-07-15 12:36:17,170][320722][139959283669888][DEBUG][privacyidea.lib.policy:633] Policies after matching client: []
[2020-07-15 12:36:17,170][320722][139959283669888][DEBUG][privacyidea.lib.policy:198] Exiting list_policies with result []
[2020-07-15 12:36:17,171][320722][139959283669888][DEBUG][privacyidea.lib.policy:710] Policies after matching time: []
[2020-07-15 12:36:17,171][320722][139959283669888][DEBUG][privacyidea.lib.policy:714] Policies after matching conditions
[2020-07-15 12:36:17,171][320722][139959283669888][DEBUG][privacyidea.lib.policy:198] Exiting match_policies with result []
[2020-07-15 12:36:17,171][320722][139959283669888][DEBUG][privacyidea.lib.user:188] Entering check_password with arguments HIDDEN and keywords HIDDEN
[2020-07-15 12:36:17,171][320722][139959283669888][INFO][privacyidea.lib.user:359] User '' from realm 'admin' tries to authenticate
[2020-07-15 12:36:17,171][320722][139959283669888][DEBUG][privacyidea.lib.resolver:185] Entering get_resolver_object with arguments ('ad_admins',) and keywords {}
[2020-07-15 12:36:17,171][320722][139959283669888][DEBUG][privacyidea.lib.resolver:185] Entering get_resolver_list with arguments () and keywords {'filter_resolver_name': 'ad_admins'}
[2020-07-15 12:36:17,171][320722][139959283669888][DEBUG][privacyidea.lib.resolver:200] Exiting get_resolver_list with result HIDDEN
[2020-07-15 12:36:17,172][320722][139959283669888][DEBUG][privacyidea.lib.resolver:198] Exiting get_resolver_object with result <privacyidea.lib.resolvers.LDAPIdResolver.IdResolver object at 0x7f4ac9d27610>
[2020-07-15 12:36:17,174][320722][139959283669888][INFO][privacyidea.lib.resolvers.LDAPIdResolver:466] The filter '(&(memberOf=CN=privacyideaadmins,CN=Users,DC=LAB,DC=local)(&(sAMAccountName=*)(objectClass=person))(objectGUID=\\c5\\d9\\10\\b8\\b8\\2b\\4e\\43\\90\\db\\0e\\2f\\11\\b1\\61\\5f))' returned no DN.
[2020-07-15 12:36:17,174][320722][139959283669888][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:333] Authtype: 'Simple'
[2020-07-15 12:36:17,174][320722][139959283669888][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:334] user    : ''
[2020-07-15 12:36:17,174][320722][139959283669888][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:354] failed to check password for 'b810d9c5-2bb8-434e-90db-0e2f11b1615f'/'': Exception('No valid user. Empty bind_user.')
[2020-07-15 12:36:17,175][320722][139959283669888][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:355] Traceback (most recent call last):
  File "./privacyidea/lib/resolvers/LDAPIdResolver.py", line 338, in checkPass
    raise Exception("No valid user. Empty bind_user.")
Exception: No valid user. Empty bind_user.

[2020-07-15 12:36:17,175][320722][139959283669888][INFO][privacyidea.lib.user:371] user User(login='', realm='admin', resolver='ad_admins') failed to authenticate.
[2020-07-15 12:36:17,175][320722][139959283669888][DEBUG][privacyidea.lib.user:198] Exiting check_password with result None
[2020-07-15 12:36:17,175][320722][139959283669888][DEBUG][privacyidea.lib.auditmodules.base:185] Entering log with arguments (<privacyidea.lib.auditmodules.sqlaudit.Audit object at 0x7f4ac91d1eb0>, {'user': '', 'administrator': '', 'realm': 'admin', 'resolver': 'ad_admins', 'serial': None, 'info': 'logged in as franadm. |loginmode=None'}) and keywords {}
[2020-07-15 12:36:17,175][320722][139959283669888][DEBUG][privacyidea.lib.auditmodules.base:198] Exiting log with result None
[2020-07-15 12:36:17,206][320722][139959283669888][DEBUG][privacyidea.api.before_after:90] End handling of request '/auth?'

The wierd thing about it is this Line:

[2020-07-15 12:36:17,174][320722][139959283669888][INFO][privacyidea.lib.resolvers.LDAPIdResolver:466] The filter '(&(memberOf=CN=privacyideaadmins,CN=Users,DC=LAB,DC=local)(&(sAMAccountName=*)(objectClass=person))(objectGUID=\\c5\\d9\\10\\b8\\b8\\2b\\4e\\43\\90\\db\\0e\\2f\\11\\b1\\61\\5f))' returned no DN.

because my objectGUID is b810d9c5-2bb8-434e-90db-0e2f11b1615f As you can see three lines after the Wierd line.

Is there something wrong with my Configuration?

vielen Dank im Voraus!

cornelinux · July 16, 2020, 7:25am

Noone can tell this, since we do not know your configuration

It would be helpful, if you pasted your resolver config.
I guess something could be wrong there. You have an empty bind user, which either indicates your resolver does not have a bind user or the user, who is trying to log in can not be found.

Also: How did you install privacyIDEA? What is your ldap3 version? It must not be 2.7, but rather 2.6.1.