Hello,
can anyone give me a pointer on how to fix this problem?
after I upgrade to 3.8.x from 3.7.4, my simplesamlphp suddenly cannot do enrolltoken anymore via the api.
OTP verification from simplesamlphp still works normally if I do enroll the token manually from privacyidea, but now I’m missing the ability to have the users self-enrolling the token automatically on first-time login
here is the simplesaml debug log:
Feb 21 17:16:03 simplesamlphp DEBUG [3d12782bdf] privacyIDEA-PHP-Client: Sending username=sso.service.account, password=fakepassword, realm=DOMAIN.TLD to /auth
Feb 21 17:16:04 simplesamlphp DEBUG [3d12782bdf] privacyIDEA-PHP-Client: Sending user=USER.NAME%40DOMAIN.TLD to /token/
Feb 21 17:16:05 simplesamlphp DEBUG [3d12782bdf] privacyIDEA-PHP-Client: /token/ returned {
"id": 1,
"jsonrpc": "2.0",
"result": {
"status": true,
"value": {
"count": 0,
"current": 1,
"next": null,
"prev": null,
"tokens": []
}
},
"time": 1676974565.146246,
"version": "privacyIDEA 3.8.1",
"versionnumber": "3.8.1",
"signature": "rsa_sha256_pss:bd47cf81f36d83401078b0a263aaaf4038bd78176e9f70a44a34cc61b6711b66254318eead05516406b76ff21f9711dc7f393b34e9765b23e85978d8eecaf0b32cac13d0fddeac5af674577ca741a7ad2ed07bfe5a0d78bd129a7e0ce18c7edee3ebe46e8a51cb3c6ddedc1235ea3bd7fc36a440fed603b1db197ba5eb6a0c312684dc160eae99efeb59304e9504d0b4fc2500dc58a040caf7f5ddaf1f889e7640d82a7b3325acb4a88d368e399dba77c9a67cb2474262856159cd650bc470a4a68dcd426227192b7e4ad86502ad4ac048777541e5257f6dcd4048757ab2fa998993aae25886e0f94557e7e2f1fde6b7736b0f5b790bfe2fd074d859da50a4cb"
}
Feb 21 17:16:05 simplesamlphp DEBUG [3d12782bdf] privacyIDEA-PHP-Client: Sending user=USER.NAME%40DOMAIN.TLD, genkey=1, type=totp, description=Enrolled+with+simpleSAMLphp to /token/init
Feb 21 17:16:05 simplesamlphp DEBUG [3d12782bdf] privacyIDEA-PHP-Client: /token/init returned {
"detail": null,
"id": 1,
"jsonrpc": "2.0",
"result": {
"error": {
"code": 905,
"message": "ERR905: Cannot pass user_object (<USER.NAME.zimbraLDAP@DOMAIN.TLD>) as well as user (USER.NAME@DOMAIN.TLD), resolver (zimbraLDAP), realm (None)in policy (None, 'admin', 'enrollTOTP')"
},
"status": false
},
"time": 1676974565.4908726,
"version": "privacyIDEA 3.8.1",
"signature": "rsa_sha256_pss:124060724982215edf83b74b20f8b6c3155e0172e5ea5523e0f930ea4f447074416db189170a6429c5ea2b4b89c20edf703c41d16004b023a81245202db4a39a24bcc7c3d5e1f9d96497cb5ef4703c01ce3d3638d37d7bed2c82a747d68515d4a0f0306fd98c5e9750d9b66972d210f03bf4ea8e03fe4f7f8425e59cdf1ce06ac19291656f8a61ab97c14eb0763be2873e870b35956e5092dc0303bd1b3d81981f854ea8a5deb6138f3c77c7cfdf55bd9b8b8731069d585f53a633d706e859c4dea2e8e83f134537c4b9f39e8c32fa42aedcd72fe8af70a5f8eb6d62e1bdbfed9ff9bc50f4b8324289e5e1daf00db2ee6647e0490d0299d89d025ac4e378c3db"
}
and the privacyidea.log:
[2023-02-21 17:16:03,798][1123487][140550873708416][INFO][privacyidea.lib.resolvers.LDAPIdResolver:333] Setting system wide POOLING_LOOP_TIMEOUT to 10.
[2023-02-21 17:16:04,627][1123487][140550873708416][INFO][privacyidea.api.auth:291] Local admin 'sso.service.account' successfully logged in.
[2023-02-21 17:16:04,880][1123488][140550873708416][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:98] Could not import gssapi package. Kerberos authentication not available
[2023-02-21 17:16:04,881][1123488][140550873708416][INFO][privacyidea.lib.resolvers.LDAPIdResolver:333] Setting system wide POOLING_LOOP_TIMEOUT to 10.
[2023-02-21 17:16:05,081][1123488][140550873708416][INFO][privacyidea.lib.user:262] user 'USER.NAME' found in resolver 'zimbraLDAP'
[2023-02-21 17:16:05,081][1123488][140550873708416][INFO][privacyidea.lib.user:264] userid resolved to 'b2cc287a-dbed-1037-8657-8f3dd5354bb1'
[2023-02-21 17:16:05,248][1123489][140550873708416][INFO][privacyidea.lib.resolvers.LDAPIdResolver:333] Setting system wide POOLING_LOOP_TIMEOUT to 10.
[2023-02-21 17:16:05,437][1123489][140550873708416][INFO][privacyidea.lib.user:262] user 'USER.NAME' found in resolver 'zimbraLDAP'
[2023-02-21 17:16:05,437][1123489][140550873708416][INFO][privacyidea.lib.user:264] userid resolved to 'b2cc287a-dbed-1037-8657-8f3dd5354bb1'
[2023-02-21 17:16:05,486][1123489][140550873708416][INFO][privacyidea.lib.user:262] user 'USER.NAME' found in resolver 'zimbraLDAP'
[2023-02-21 17:16:05,486][1123489][140550873708416][INFO][privacyidea.lib.user:264] userid resolved to 'b2cc287a-dbed-1037-8657-8f3dd5354bb1'
[2023-02-21 17:16:05,487][1123489][140550873708416][INFO][privacyidea.lib.user:262] user 'USER.NAME' found in resolver 'zimbraLDAP'
[2023-02-21 17:16:05,487][1123489][140550873708416][INFO][privacyidea.lib.user:264] userid resolved to 'b2cc287a-dbed-1037-8657-8f3dd5354bb1'
[2023-02-21 17:16:05,488][1123489][140550873708416][WARNING][privacyidea.lib.policy:746] Cannot pass user_object as well as user, resolver, realm in policy (None, 'admin', 'enrollTOTP'). <USER.NAME.zimbraLDAP@DOMAIN.TLD> - USER.NAME@DOMAIN.TLD@None in resolver zimbraLDAP
[2023-02-21 17:16:05,488][1123489][140550873708416][WARNING][privacyidea.lib.policy:750] Possible programming error: File "/opt/privacyidea/lib/python3.8/site-packages/flask/app.py", line 2464, in __call__
return self.wsgi_app(environ, start_response)
File "/opt/privacyidea/lib/python3.8/site-packages/flask/app.py", line 2447, in wsgi_app
response = self.full_dispatch_request()
File "/opt/privacyidea/lib/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
rv = self.dispatch_request()
File "/opt/privacyidea/lib/python3.8/site-packages/flask/app.py", line 1936, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/api/lib/prepolicy.py", line 158, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/api/lib/prepolicy.py", line 158, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/api/lib/prepolicy.py", line 156, in policy_wrapper
self.function(request=self.request,
File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/api/lib/prepolicy.py", line 1303, in check_token_init
init_allowed = Match.generic(g, action=action,
File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/lib/policy.py", line 2771, in allowed
policies_defined = self.any(write_to_audit_log=write_to_audit_log)
File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/lib/policy.py", line 2724, in any
return bool(self.policies(write_to_audit_log=write_to_audit_log))
File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/lib/policy.py", line 2713, in policies
return self._g.policy_object.match_policies(audit_data=audit_data, request_headers=request_headers,
File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/lib/log.py", line 151, in log_wrapper
return func(*args, **kwds)
File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/lib/policy.py", line 745, in match_policies
tb_str = ''.join(traceback.format_stack())
Thanks