Error in TEST resolverLDAP

JoseMa · December 28, 2021, 12:11pm

When I click on the “test LDAP resolver” button I get the following error.
Later when I go to resolver created I can’t see the LDAP users either:

Log PrivacyIdea:
[2021-12-28 13:01:04,893][3920][140118200014656][WARNING][privacyidea.lib.crypto:341] Non-hexadecimal digit found
[2021-12-28 13:01:04,893][3920][140118200014656][WARNING][privacyidea.lib.crypto:341] Non-hexadecimal digit found
[2021-12-28 13:01:07,746][3920][140118200014656][WARNING][privacyidea.lib.crypto:341] Non-hexadecimal digit found
[2021-12-28 13:01:07,746][3920][140118200014656][WARNING][privacyidea.lib.crypto:341] Non-hexadecimal digit found
[2021-12-28 13:01:10,438][3920][140118200014656][INFO][privacyidea.lib.resolvers.LDAPIdResolver:322] Setting system wide POOLING_LOOP_TIMEOUT to 10.
[2021-12-28 13:01:10,673][3920][140118200014656][ERROR][privacyidea.lib.user:726] UnicodeError(“Unable to convert type list to unicode: [(0, False, 4, ‘1.2.840.113556.1.4.319’), (0, False, 1, True), (0, False, 4, ‘0\x84\x00\x00\x00\t\x02\x01\x00\x04\x04107d’)]”,)
[2021-12-28 13:01:16,371][3920][140118200014656][WARNING][privacyidea.lib.crypto:341] Non-hexadecimal digit found
[2021-12-28 13:01:16,371][3920][140118200014656][WARNING][privacyidea.lib.crypto:341] Non-hexadecimal digit found
[2021-12-28 13:01:18,566][3920][140118200014656][WARNING][privacyidea.lib.crypto:341] Non-hexadecimal digit found
[2021-12-28 13:01:18,567][3920][140118200014656][WARNING][privacyidea.lib.crypto:341] Non-hexadecimal digit found
[2021-12-28 13:01:20,773][3920][140118200014656][WARNING][privacyidea.lib.crypto:341] Non-hexadecimal digit found
[2021-12-28 13:01:20,773][3920][140118200014656][WARNING][privacyidea.lib.crypto:341] Non-hexadecimal digit found
[2021-12-28 13:05:03,129][3920][140118200014656][INFO][privacyidea.lib.resolvers.LDAPIdResolver:322] Setting system wide POOLING_LOOP_TIMEOUT to 10.
[2021-12-28 13:05:03,549][3920][140118200014656][INFO][privacyidea.api.auth:289] Local admin ‘admin’ successfully logged in.

cornelinux · December 28, 2021, 12:26pm

Your attribute mapping does not fit the expectations from privacyIDEA.

Your “Mapeo de Atributos” might be faulty. Try to start with a simpler one to reduce complexity and narrow down your problem.

JoseMa · December 28, 2021, 1:41pm

I have left this
{“uid”:“uid”}
I keep getting the same error.
I’ve also tried this one {“username”: “cn” ,“uid”:“uid”} and it doesn’t work. I don’t know what I’m doing wrong

cornelinux · December 28, 2021, 3:08pm

How does your uid actually look like?

JoseMa · December 28, 2021, 3:26pm

the uid attribute on our ldap server contains the user’s email, the same as the cn attribute

cornelinux · December 28, 2021, 4:19pm

Your error originiates here:

github.com

privacyidea/privacyidea/blob/v3.6.3/privacyidea/lib/user.py#L726

    
      
                              ue.update(get_attributes(ue.get("userid"), ue.get("resolver"), realm_id))
                      log.debug("Found this userlist: {0!r}".format(ulist))
                      users.extend(ulist)
          
          
        except KeyError as exx:  # pragma: no cover
                      log.error("{0!r}".format((exx)))
                      log.debug("{0!s}".format(traceback.format_exc()))
                      raise exx
          
          
        except Exception as exx:  # pragma: no cover
                      log.error("{0!r}".format((exx)))
                      log.debug("{0!s}".format(traceback.format_exc()))
                      continue
          
          
    return users
          
          

          
@log_with(log)
          @user_cache(cache_username)
          def get_username(userid, resolvername):
              """

Activate debug log. This will help you to understand what happens.
Revert to the default openldap? configuration/mapping.
There is no reason to have a uid in your attribute mapping.
I recommend starting wiht the default config.

JoseMa · December 28, 2021, 7:08pm

sorry for the inconvenience. I have activated the log in DEBUD mode (10). I have left the configuration of the OPENLDAP preset, and changed the mapping of the default attributes for the following:
{“phone”: “uid”, “mobile”: “cn”, “email”: “mail”, “surname”: “sn”, “givenname”: “givenname”}
checking that all of them are in my ldap.

I keep getting the same error. This is the log output:

[2021-12-28 19:54:52,282][51965][139687699093312][DEBUG][privacyidea.lib.policy:566] Policies after matching scope: []
[2021-12-28 19:54:52,282][51965][139687699093312][DEBUG][privacyidea.lib.policy:591] Policies after matching action: []
[2021-12-28 19:54:52,282][51965][139687699093312][DEBUG][privacyidea.lib.policy:591] Policies after matching adminrealm: []
[2021-12-28 19:54:52,283][51965][139687699093312][DEBUG][privacyidea.lib.policy:591] Policies after matching adminuser: []
[2021-12-28 19:54:52,283][51965][139687699093312][DEBUG][privacyidea.lib.policy:626] Policies after matching resolver: []
[2021-12-28 19:54:52,283][51965][139687699093312][DEBUG][privacyidea.lib.policy:637] Policies after matching pinode: []
[2021-12-28 19:54:52,283][51965][139687699093312][DEBUG][privacyidea.lib.policy:668] Policies after matching client: []
[2021-12-28 19:54:52,283][51965][139687699093312][DEBUG][privacyidea.lib.policy:198] Exiting list_policies with result []
[2021-12-28 19:54:52,283][51965][139687699093312][DEBUG][privacyidea.lib.policy:746] Policies after matching time: []
[2021-12-28 19:54:52,283][51965][139687699093312][DEBUG][privacyidea.lib.policy:752] Policies after matching conditions
[2021-12-28 19:54:52,283][51965][139687699093312][DEBUG][privacyidea.lib.policy:198] Exiting match_policies with result []
[2021-12-28 19:54:52,283][51965][139687699093312][DEBUG][privacyidea.lib.policy:186] Entering list_policies with arguments (<privacyidea.lib.policy.PolicyClass object at 0x7f0b7e96e6d0>,) and keywords {'active': True, 'scope': u'admin'}
[2021-12-28 19:54:52,284][51965][139687699093312][DEBUG][privacyidea.lib.policy:566] Policies after matching active: [{'time': u'', 'user': [], 'resolver': [], 'active': True, 'adminrealm': [], 'adminuser': [], 'realm': [], 'name': u'welcome_disable', 'pinode': [], 'priority': 1L, 'client': [], 'check_all_resolvers': False, 'action': {u'hide_welcome_info': True}, 'scope': u'webui', 'conditions': []}, {'time': u'', 'user': [], 'resolver': [u'OID-Pruebas', u'OID-PRE'], 'active': True, 'adminrealm': [], 'adminuser': [], 'realm': [u'dominio-oidpruebas', u'dominio_oidpruebas'], 'name': u'adduser', 'pinode': [], 'priority': 1L, 'client': [], 'check_all_resolvers': False, 'action': {u'add_user_in_response': True, u'add_resolver_in_response': True}, 'scope': u'authorization', 'conditions': []}]
[2021-12-28 19:54:52,284][51965][139687699093312][DEBUG][privacyidea.lib.policy:566] Policies after matching scope: []
[2021-12-28 19:54:52,284][51965][139687699093312][DEBUG][privacyidea.lib.policy:198] Exiting list_policies with result []
[2021-12-28 19:54:52,284][51965][139687699093312][DEBUG][privacyidea.lib.resolver:186] Entering pretestresolver with arguments (u'ldapresolver', {u'TLS_VERSION': u'2', u'EDITABLE': False, u'SERVERPOOL_ROUNDS': u'4', u'BINDPW': u'__CENSORED__', u'TIMEOUT': u'30', u'SERVERPOOL_SKIP': u'30', u'MULTIVALUEATTRIBUTES': u'', u'LDAPBASE': u'cn=users,dc=***,dc=es', u'LOGINNAMEATTRIBUTE': u'uid', u'UIDTYPE': u'entryUUID', u'TLS_VERIFY': False, u'SERVERPOOL_PERSISTENT': False, u'type': u'ldapresolver', u'BINDDN': u'cn=***,cn=users,dc=***,dc=es', u'AUTHTYPE': u'Simple', u'resolver': u'OID-PRE', u'SCOPE': u'SUBTREE', u'NOREFERRALS': True, u'CACHE_TIMEOUT': u'120', u'START_TLS': False, u'LDAPURI': u'ldap://oid-pruebas.***.***.es:389', u'LDAPSEARCHFILTER': u'(uid=*)(objectClass=inetOrgPerson)', u'USERINFO': u'{ "phone" : "uid", "mobile" : "cn", "email" : "mail", "surname" : "sn", "givenname" : "givenname" }', u'SIZELIMIT': 0, u'NOSCHEMAS': False}) and keywords {}
[2021-12-28 19:54:52,286][51965][139687699093312][DEBUG][privacyidea.lib.resolver:186] Entering get_resolver_list with arguments () and keywords {'filter_resolver_name': u'OID-PRE'}
[2021-12-28 19:54:52,286][51965][139687699093312][DEBUG][privacyidea.lib.resolver:200] Exiting get_resolver_list with result HIDDEN
[2021-12-28 19:54:52,286][51965][139687699093312][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:184] Get LDAP schema info: 'SCHEMA'
[2021-12-28 19:54:52,287][51965][139687699093312][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:918] Added oid-pruebas.***.***.es, 389, False to server pool.
[2021-12-28 19:54:52,606][51965][139687699093312][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:1099] Traceback (most recent call last):
  File "/opt/privacyidea/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 1076, in testconnection
    for entry in ignore_sizelimit_exception(l, g):
  File "/opt/privacyidea/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 199, in ignore_sizelimit_exception
    last_entry = next(generator)
  File "/opt/privacyidea/lib/python2.7/site-packages/ldap3/extend/standard/PagedSearch.py", line 68, in paged_search_generator
    None if cookie is True else cookie)
  File "/opt/privacyidea/lib/python2.7/site-packages/ldap3/core/connection.py", line 846, in search
    response = self.post_send_search(self.send('searchRequest', request, controls))
  File "/opt/privacyidea/lib/python2.7/site-packages/ldap3/strategy/sync.py", line 139, in post_send_search
    responses, result = self.get_response(message_id)
  File "/opt/privacyidea/lib/python2.7/site-packages/ldap3/strategy/base.py", line 354, in get_response
    responses = self._get_response(message_id, timeout)
  File "/opt/privacyidea/lib/python2.7/site-packages/ldap3/strategy/sync.py", line 165, in _get_response
    dict_response = self.decode_response_fast(ldap_resp)
  File "/opt/privacyidea/lib/python2.7/site-packages/ldap3/strategy/base.py", line 536, in decode_response_fast
    result = ldap_result_to_dict_fast(ldap_message['payload'])
  File "/opt/privacyidea/lib/python2.7/site-packages/ldap3/utils/asn1.py", line 179, in ldap_result_to_dict_fast
    response_dict['referrals'] = referrals_to_list([to_unicode(referral[3], from_server=True) for referral in response[3][3]])  # referrals
  File "/opt/privacyidea/lib/python2.7/site-packages/ldap3/utils/conv.py", line 75, in to_unicode
    raise UnicodeError("Unable to convert type %s to unicode: %r" % (obj.__class__.__name__, obj))
UnicodeError: Unable to convert type list to unicode: [(0, False, 4, '1.2.840.113556.1.4.319'), (0, False, 1, True), (0, False, 4, '0\x84\x00\x00\x00\t\x02\x01\x00\x04\x04107e')]

[2021-12-28 19:54:52,607][51965][139687699093312][DEBUG][privacyidea.lib.resolver:198] Exiting pretestresolver with result (False, 'UnicodeError("Unable to convert type list to unicode: [(0, False, 4, \'1.2.840.113556.1.4.319\'), (0, False, 1, True), (0, False, 4, \'0\\\\x84\\\\x00\\\\x00\\\\x00\\\\t\\\\x02\\\\x01\\\\x00\\\\x04\\\\x04107e\')]",)')
[2021-12-28 19:54:52,617][51965][139687699093312][DEBUG][privacyidea.api.resolver:198] Exiting test_resolver with result <PiResponseClass 411 bytes [200 OK]>
[2021-12-28 19:54:52,639][51965][139687699093312][DEBUG][privacyidea.api.before_after:100] End handling of request u'/resolver/test?'

When I use a token by sms against the same resolver, the correct answer that the server returns is this:

{"jsonrpc": "2.0", "signature": "rsa_sha256_pss:1e548efa39ca207ee53081fa59dd703b592d0a08a366627bcda3e4ebe26d3ffd865820574087f3e5f5813bf9b601aade71e8eec97d27af446e228340ebecf8d805aff6442816cf53a4eb743300cd7dfe6e293fb691b98c51a6dc99b77f2795cd94935ac1fe58266fd20de9a9ab5176019975f44bd4a2881d8993692a723e46dedad2edb6f1afebeae1b23b6fcdd02ac99ca776b474cca1fd29c3ca9e1a7ec5a2121a7123fcdc397be7b0076d74f7bca3dd592fbc410711e1812fe84de273930b5a5a524ab4aeb184b0dd1578ad6b616d5dadd0b8c316b1a0641438f8b30ebffdbdd12abc0ccd4042eddd1a1633ff0cd5686aa0c207e3a8724f9af5ee23deb", "detail": {"user-realm": "dominio_oidpruebas", "user": {"username": "josemaxxx@xxx.es", "uid": "josemaxxx@xxx.es", "xxx_tlf": "91xxxxx94", "numdocumento": "1xxxxxx2J", "xxx_cod_persona_sigma": "89474", "apellido2": "Jimenez", "apellido1": "Garc\u00eda", "nombre": "Jos\u00e9 Mar\u00eda", "xxx_categorias": "PAS", "mail": "josemaxxx@xxx.es", "xxx_cod_persona": "50xxxxx", "password": ""}, "threadid": 139687699093312, "message": "matching 1 tokens", "type": "sms", "serial": "PISM0000C38B", "otplen": 6, "user-resolver": "OID-Pruebas"}, "versionnumber": "3.6.2", "version": "privacyIDEA 3.6.2", "result": {"status": true, "value": true}, "time": 1640720041.90937, "id": 1}

cornelinux · December 28, 2021, 8:27pm

Judging from the line numbers in the traceback, are you running the latest stable version 3.6.3?

Your sms token works properly for a specific user. So the resolving is working properly.
I think you have one or more faulty uid values for some entries. You should check these.

JoseMa · December 29, 2021, 9:22am

First I installed the development version 3.6.3 but then as I had these problems I decided to download 3.6.2 to the last stable one.
What do you mean by wrong uids?
The specific problem of the TEST is not important but I do not know if it is also related to the fact that I cannot see the ldap users on the users screen nor can I log in to the privacyidea server with any of these users.