AW: Re: Re: 'privacyIDEA request failed: 500 INTERNAL SERVER ERROR' - FreeRadius

Hi,
The user can not be found in the resolver.

How does the request look like?Is the realm the default realm.how does the DN of the user look like?

You might have specified the wrong realm (see default realm)

Kind regardsCornelius

Cornelius KölbelCornelius.koelbel@netknights.it+49 151 2960 1417
NetKnights GmbHhttp://netknights.itLandgraf-Karl-Str. 19, 34131 Kassel, GermanyTel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405Geschäftsführer: Cornelius Kölbel-------- Ursprüngliche Nachricht --------
Von: Tony Hawker lil.tud@gmail.com
Datum: 21.10.2015 13:14 (GMT+01:00)
An: privacyidea privacyidea@googlegroups.com
Betreff: Re: Re: ‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’ - FreeRadius

Hi CorneliusThanks for your responseI am running PIP installation on Centos 7I am running latest version of Privacy idea (2.7), updated as per instructions on howtoforgethe user is coming from Active DirectoryUID is DNthere are no special characters anywhere in the AD config
testing using the URL you provided I get the message below when attempting to use an AD user"version": “privacyIDEA 2.7”, “result”: {“status”: false, “error”: {“message”: “ERR905: The user can not be found in any resolver in this realm!”, “code”: -500}}, “time”: 1445425459.788956, “id”: 1}
but if i use the root user (from the privacyidea server) this returns:{“message”: “wrong otp pin”}, “versionnumber”: “2.7”, “version”: “privacyIDEA 2.7”, “result”: {“status”: true, “value”: false}, “time”: 1445425581.107504, “id”: 1}I assume the OTP token is out of sync, but looks much more promising
any idea on why the AD would not work via this method? as i can see all the users in the webui etc
Cheers

On Wednesday, 21 October 2015 21:01:47 UTC+11, Cornelinux K wrote:

Hi Tony,
Are you running a pip installation or debian wheezy?
Which version of privacyidea are you running?
In certain cases there were problems with the ldap resolver, if the DN contains special characters and is base54 encoded.
Is it openldap or AD?
The Uid type: is it DN or entryUUID?
Kind regards Cornelius

Cornelius KölbelCorneliu…@netknights.it+49 151 2960 1417
NetKnights GmbHhttp://netknights.itLandgraf-Karl-Str. 19, 34131 Kassel, GermanyTel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405Geschäftsführer: Cornelius Kölbel

-------- Ursprüngliche Nachricht --------
Von: Tony Hawker lil...@gmail.com
Datum: 21.10.2015 08:59 (GMT+01:00)
An: privacyidea priva...@googlegroups.com
Betreff: Re: ‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’ - FreeRadius

Hithanks for your quick response to my issueI have been watching the privacyidea.log but no entries are made when a connection attempt is made via the radius, which leads me to think that the radius is not able to see the privacyidea API?I can access the URI in my browser, so i can see that is up
I see this in the privacyidea.log when i reboot
[2015-10-21 15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333] ‘Traceback (most recent call last):\n File “/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/ LDAPIdResolver.py”, line 328, in getUserList\n user = self._ldap_attributes_to_user_object(attributes)\n File “/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”, line 246, in _ldap_attributes_to_user_object\n for ldap_k, ldap_v in attributes.items():\nAttributeError: 'NoneType' object has no attribute 'items'\n’
Cheers

On Wednesday, 21 October 2015 17:14:34 UTC+11, Cornelinux K wrote:Hi Tony,

please do the following:

  1. Take a look into the audit log

Within the webui take a look, what you can see in the request in the

AUdit Tab. The right most tab.

I assume, the user does not exist.

The audit gives you a top level view of what is happening in

privacyidea.

  1. Take a look into the log file privacyidea.log.

This gives you a detailed view, of what is happening.

Kind regards

Cornelius

Am Dienstag, den 20.10.2015, 17:56 -0700 schrieb Tony Hawker:

Hi

I have followed the guide on setting up Privactidea on Centos 7 here:

Two-Factor-Authentication with OTP on CentOS 7 – privacyID3A

I can access the webui, register tokens, linked to active directory

etc, all tested ok

I am having issues with the radius plugin, when I attempt to make any

connection to the radius, either using the test functions described in

the link above, or from an external connection, I am seeing the errors

below:

]# echo “User-Name=user, User-Password=password” | radclient -sx

localhost auth testing123

Sending Access-Request Id 91 from 0.0.0.0:34321 to 127.0.0.1:1812

    User-Name = 'user'
    User-Password = 'password'

Received Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34321

length 75

    Reply-Message = 'privacyIDEA request failed: 500 INTERNAL

SERVER ERROR’

(0) -: Expected Access-Accept got Access-Reject

Packet summary:

    Accepted      : 0
    Rejected      : 1
    Lost          : 0
    Passed filter : 0
    Failed filter : 1

and on the radius server I see this:

Received Access-Request Id 111 from 127.0.0.1:35488 to 127.0.0.1:1812

length 44

    User-Name = 'user'
    User-Password = 'password'

(0) Received Access-Request packet from host 127.0.0.1 port 35488,

id=111, length=44

(0) User-Name = ‘user’

(0) User-Password = ‘password’

(0) # Executing section authorize from

file /etc/raddb/sites-enabled/privacyidea

(0) authorize {

(0) [preprocess] = ok

(0) [digest] = noop

(0) suffix : Checking for suffix after “@”

(0) suffix : No ‘@’ in User-Name = “user”, looking up realm NULL

(0) suffix : No such realm “NULL”

(0) [suffix] = noop

(0) ntdomain : Checking for prefix before ""

(0) ntdomain : No '' in User-Name = “user”, looking up realm NULL

(0) ntdomain : No such realm “NULL”

(0) [ntdomain] = noop

(0) [files] = noop

(0) [expiration] = noop

(0) [logintime] = noop

(0) WARNING: pap : No “known good” password found for the user. Not

setting Auth-Type

(0) WARNING: pap : Authentication will fail unless a “known good”

password is available

(0) [pap] = noop

(0) update control {

(0) Auth-Type := Perl

(0) } # update control = noop

(0) } # authorize = ok

(0) Found Auth-Type = Perl

(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea

(0) Auth-Type Perl {

(0) perl : $RAD_REQUEST{‘User-Name’} = &request:User-Name → ‘user’

(0) perl : $RAD_REQUEST{‘User-Password’} = &request:User-Password →

‘password’

(0) perl : $RAD_REQUEST{‘NAS-IP-Address’} = &request:NAS-IP-Address

→ ‘127.0.0.1’

(0) perl : $RAD_REQUEST{‘Event-Timestamp’} =

&request:Event-Timestamp → ‘Oct 21 2015 11:50:57 AEDT’

(0) perl : $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type → ‘Perl’

(0) perl : $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type → ‘Perl’

rlm_perl: Config File /etc/freeradius/rlm_perl.ini found!

rlm_perl: Default URL https://127.0.0.1/validate/check

rlm_perl: Looking for config for auth-type Perl

rlm_perl: Auth-Type: Perl

rlm_perl: url: https://127.0.0.1/validate/check

rlm_perl: user sent to privacyidea: user

rlm_perl: realm sent to privacyidea:

rlm_perl: resolver sent to privacyidea:

rlm_perl: client sent to privacyidea: 127.0.0.1

rlm_perl: state sent to privacyidea:

rlm_perl: urlparam client

rlm_perl: urlparam pass

rlm_perl: urlparam user

rlm_perl: Not verifying SSL certificate!

rlm_perl: privacyIDEA request failed: 500 INTERNAL SERVER ERROR

rlm_perl: return RLM_MODULE_FAIL

(0) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘user’

(0) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’}

→ ‘Oct 21 2015 11:50:57 AEDT’

(0) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} →

‘password’

(0) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’}

→ ‘127.0.0.1’

(0) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} →

‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’

(0) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} → ‘Perl’

(0) [perl] = fail

(0) } # Auth-Type Perl = fail

(0) Failed to authenticate the user

(0) Using Post-Auth-Type Reject

(0) Delaying response for 1 seconds

Waking up in 0.9 seconds.

(0) Sending delayed response

(0) Sending Access-Reject packet to host 127.0.0.1 port 35488, id=111,

length=0

(0) Reply-Message = 'privacyIDEA request failed: 500 INTERNAL

SERVER ERROR’

Sending Access-Reject Id 111 from 127.0.0.1:1812 to 127.0.0.1:35488

    Reply-Message = 'privacyIDEA request failed: 500 INTERNAL

SERVER ERROR’

Waking up in 3.9 seconds.

(0) Cleaning up request packet ID 111 with timestamp +7

I don’t think this is just an issue with the user / password, but if

anyone can point me in the right direction in what I may have done

wrong with either the radius or privacy idea install?

Cheers

You received this message because you are subscribed to the Google

Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to privacyidea...@googlegroups.com.

To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel

corneliu…@netknights.it

+49 151 2960 1417

NetKnights GmbH

http://www.netknights.it

Landgraf-Karl-Str. 19, 34131 Kassel, Germany

Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405

Geschäftsführer: Cornelius Kölbel

You received this message because you are subscribed to the Google Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.

To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea+unsubscribe@googlegroups.com.

To post to this group, send email to privacyidea@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/68dd1f15-dcf7-44ca-9ceb-b45bc8084d78%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.