Cannot login to WebUI with AD user

Der_PCFreak · March 27, 2015, 10:08am

Hi,

I hope this is the official mailing list of PrivacyID3A, if not please just
point me to the correct location.

I am currently evaluating PrivacyID3A. Installation on Ubuntu 14.04 server
LTS went fine.

I use privacyidea-apache2 Version: 2.1-1trusty via
ppa:privacyidea/privacyidea

After installation I added an administrative user and can login to the
webUI with it.

Next steps were adding

ldapresolver pointing to our AD (test works)
creating a user *realm *and assigned the ldapresolver to it

As read in the documentation at http://privacyidea.readthedocs.org/ I
should now be able to login with any of my AD users, right? - Well, I can’t.
I always get “Wrong Credentials”.

I tried everything I could imagine to get it working. I tried to login with

user/adpassword
user@realm/adpassword
user@email.tld/adpassword
…

I also tried some policies but as written in the docs, this should not be
necessary for the default realm. The default realm users should be able to
login to the WebUI, right?

Any hints for me? Any ways to debug this by increasing logs somehow?

Any help would be appreciated.

Thanks in advance.

Peter
aka Der PCFreak

Der_PCFreak · March 27, 2015, 11:44am

Hi Cornelius,

thank you, good job, you were absolutely right.

This one liner fixed it (as per my own documentation).

sudo sed -i “s/SUPERUSER_REALM = super/SUPERUSER_REALM = ‘super’/g”
/etc/privacyidea/pi.cfg

… I am getting closer to my target now!

Greets

PeterAm Freitag, 27. März 2015 11:08:20 UTC+1 schrieb Der PCFreak:

Hi,

I hope this is the official mailing list of PrivacyID3A, if not please
just point me to the correct location.

I am currently evaluating PrivacyID3A. Installation on Ubuntu 14.04 server
LTS went fine.

I use privacyidea-apache2 Version: 2.1-1trusty via
ppa:privacyidea/privacyidea

After installation I added an administrative user and can login to the
webUI with it.

Next steps were adding

ldapresolver pointing to our AD (test works)

creating a user *realm *and assigned the ldapresolver to it

As read in the documentation at http://privacyidea.readthedocs.org/ I
should now be able to login with any of my AD users, right? - Well, I can’t.
I always get “Wrong Credentials”.

I tried everything I could imagine to get it working. I tried to login with

user/adpassword

user@realm/adpassword

user@email.tld/adpassword

…

I also tried some policies but as written in the docs, this should not be
necessary for the default realm. The default realm users should be able to
login to the WebUI, right?

Any hints for me? Any ways to debug this by increasing logs somehow?

Any help would be appreciated.

Thanks in advance.

Peter
aka Der PCFreak

Cornelius_Kolbel · March 27, 2015, 11:04am

Hi PCFreak,

there is a bug in the auth.py.
You can use a work around in the config file pi.cfg:

See Migrate SCIMIdResolver · Issue #109 · privacyidea/privacyidea · GitHub

Configure the SUPERUSER_REALM as a list like:

SUPERUSER_REALM = [“somerealm”]

As soon as you restart apache, you can log in.

Kind regards
CornelusAm 27.03.2015 um 11:58 schrieb Der PCFreak:

I have some output of privacyidea.log that might help?

[2015-03-27
11:54:44,037][2529][140658750306048][WARNING][privacyidea.lib.config:496]
unable to load resolver module : ‘resolvers.SCIMIdResolver’
(ImportError(‘cannot import name getResolverClass’,))
[2015-03-27
11:54:44,057][2529][140658750306048][WARNING][privacyidea.lib.config:496]
unable to load resolver module : ‘resolvers.SCIMIdResolver’
(ImportError(‘cannot import name getResolverClass’,))
[2015-03-27
11:54:44,070][2529][140658750306048][WARNING][privacyidea.lib.config:496]
unable to load resolver module : ‘resolvers.SCIMIdResolver’
(ImportError(‘cannot import name getResolverClass’,))
[2015-03-27
11:54:44,088][2529][140658750306048][ERROR][privacyidea.app:1423]
Exception on /auth [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File “/usr/lib/python2.7/dist-packages/privacyidea/api/auth.py”,
line 178, in get_auth_token
superuser_realms=superuser_realms)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line
75, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line
232, in login_mode
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/auth.py”,
line 119, in check_webui_user
if user_obj.realm in superuser_realms:
TypeError: argument of type ‘type’ is not iterable

Maybe this helps?

Cheers

PCFreak

Am Freitag, 27. März 2015 11:08:20 UTC+1 schrieb Der PCFreak:
Hi,

I hope this is the official mailing list of PrivacyID3A, if not
please just point me to the correct location.

I am currently evaluating PrivacyID3A. Installation on Ubuntu
14.04 server LTS went fine.

I use privacyidea-apache2 Version: 2.1-1trusty via
ppa:privacyidea/privacyidea

After installation I added an administrative user and can login to
the webUI with it.

Next steps were adding

  * *ldapresolver* pointing to our AD (test works)
  * creating a user *realm *and assigned the ldapresolver to it

As read in the documentation at
http://privacyidea.readthedocs.org/
<http://privacyidea.readthedocs.org/> I should now be able to
login with any of my AD users, right? - Well, I can't.
I always get "*Wrong Credentials*".

I tried everything I could imagine to get it working. I tried to
login with

  * user/adpassword
  * user@realm/adpassword
  * user@email.tld/adpassword
  * ...

I also tried some policies but as written in the docs, this should
not be necessary for the default realm. The default realm users
should be able to login to the WebUI, right?

Any hints for me? Any ways to debug this by increasing logs somehow?

Any help would be appreciated.

Thanks in advance.

Peter
aka Der PCFreak
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com
mailto:privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com
mailto:privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/6f0325d6-ab36-42af-bdd2-d3744ada4b2f%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/6f0325d6-ab36-42af-bdd2-d3744ada4b2f%40googlegroups.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout.

Der_PCFreak · March 27, 2015, 10:58am

I have some output of privacyidea.log that might help?

[2015-03-27
11:54:44,037][2529][140658750306048][WARNING][privacyidea.lib.config:496]
unable to load resolver module : ‘resolvers.SCIMIdResolver’
(ImportError(‘cannot import name getResolverClass’,))
[2015-03-27
11:54:44,057][2529][140658750306048][WARNING][privacyidea.lib.config:496]
unable to load resolver module : ‘resolvers.SCIMIdResolver’
(ImportError(‘cannot import name getResolverClass’,))
[2015-03-27
11:54:44,070][2529][140658750306048][WARNING][privacyidea.lib.config:496]
unable to load resolver module : ‘resolvers.SCIMIdResolver’
(ImportError(‘cannot import name getResolverClass’,))
[2015-03-27
11:54:44,088][2529][140658750306048][ERROR][privacyidea.app:1423] Exception
on /auth [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File “/usr/lib/python2.7/dist-packages/privacyidea/api/auth.py”, line
178, in get_auth_token
superuser_realms=superuser_realms)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 75, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 232, in login_mode
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/auth.py”, line
119, in check_webui_user
if user_obj.realm in superuser_realms:
TypeError: argument of type ‘type’ is not iterable

Maybe this helps?

Cheers

PCFreakAm Freitag, 27. März 2015 11:08:20 UTC+1 schrieb Der PCFreak:

Hi,

I hope this is the official mailing list of PrivacyID3A, if not please
just point me to the correct location.

I am currently evaluating PrivacyID3A. Installation on Ubuntu 14.04 server
LTS went fine.

I use privacyidea-apache2 Version: 2.1-1trusty via
ppa:privacyidea/privacyidea

After installation I added an administrative user and can login to the
webUI with it.

Next steps were adding

ldapresolver pointing to our AD (test works)

creating a user *realm *and assigned the ldapresolver to it

As read in the documentation at http://privacyidea.readthedocs.org/ I
should now be able to login with any of my AD users, right? - Well, I can’t.
I always get “Wrong Credentials”.

I tried everything I could imagine to get it working. I tried to login with

user/adpassword

user@realm/adpassword

user@email.tld/adpassword

…

I also tried some policies but as written in the docs, this should not be
necessary for the default realm. The default realm users should be able to
login to the WebUI, right?

Any hints for me? Any ways to debug this by increasing logs somehow?

Any help would be appreciated.

Thanks in advance.

Peter
aka Der PCFreak