Here is the full error:
[2015-07-15
16:16:35,734][23371][140372868679424][INFO][privacyidea.lib.auditmodules.sqlaudit:130]
using the connect string mysql://pi:hGaKJN_1ZgPJ@localhost/pi
[2015-07-15
16:16:35,756][23371][140372868679424][INFO][privacyidea.lib.user:186] user
u’jomunoz.site’ found in resolver u’cbatl-ldap’
[2015-07-15
16:16:35,756][23371][140372868679424][INFO][privacyidea.lib.user:187]
userid resolved to ‘CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com’
[2015-07-15
16:16:35,772][23371][140372868679424][INFO][privacyidea.lib.user:186] user
u’jomunoz.site’ found in resolver u’cbatl-ldap’
[2015-07-15
16:16:35,772][23371][140372868679424][INFO][privacyidea.lib.user:187]
userid resolved to ‘CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com’
[2015-07-15
16:16:35,788][23371][140372868679424][INFO][privacyidea.lib.user:186] user
u’jomunoz.site’ found in resolver u’cbatl-ldap’
[2015-07-15
16:16:35,788][23371][140372868679424][INFO][privacyidea.lib.user:187]
userid resolved to ‘CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com’
[2015-07-15
16:16:35,804][23371][140372868679424][INFO][privacyidea.lib.user:186] user
u’jomunoz.site’ found in resolver u’cbatl-ldap’
[2015-07-15
16:16:35,804][23371][140372868679424][INFO][privacyidea.lib.user:187]
userid resolved to ‘CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com’
[2015-07-15
16:16:35,883][23371][140372868679424][ERROR][privacyidea.app:1423]
Exception on /validate/check [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”, line
85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”, line
85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”, line
85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”, line
85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”, line
85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”, line
85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 87, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 87, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py”,
line 67, in check_user_or_serial_in_request_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 87, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/validate.py”, line
179, in check
result, details = check_user_pass(user, password, options=options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 77, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 192, in auth_user_passthru
return wrapped_function(user_object, passw, options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 77, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 117, in auth_user_has_no_token
return wrapped_function(user_object, passw, options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 77, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 152, in auth_user_does_not_exist
return wrapped_function(user_object, passw, options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line 125,
in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”, line
1690, in check_user_pass
options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line 125,
in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”, line
1747, in check_token_list
options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/tokenclass.py”,
line 357, in authenticate
otp_counter = self.check_otp(otpval, options=options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/totptoken.py”,
line 318, in check_otp
symetric=True)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line 125,
in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py”,
line 129, in checkOtp
otpval = self.generate(c)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py”,
line 104, in generate
hmac = self.hmac(counter=counter, key=key)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py”,
line 73, in hmac
dig = str(self.secretObj.hmac_digest(data_input, self.hashfunc))
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py”, line
112, in hmac_digest
self.setupKey()
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py”, line
144, in setupKey
akey = decrypt(self.val, self.iv)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line 125,
in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py”, line
341, in decrypt
ret = hsm.decrypt(input, iv, id)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/security/default.py”,
line 388, in decrypt
eof = output.rfind(u"\x01\x02")
UnicodeDecodeError: ‘ascii’ codec can’t decode byte 0xdb in position 0:
ordinal not in range(128)
[2015-07-15
16:16:35,884][23371][140372868679424][ERROR][privacyidea.lib.auditmodules.sqlaudit:239]
exception DataError(‘(DataError) (1406, “Data too long for column 'info'
at row 1”)’,)
[2015-07-15
16:16:35,885][23371][140372868679424][ERROR][privacyidea.lib.auditmodules.sqlaudit:240]
DATA: {‘info’: u"‘ascii’ codec can’t decode byte 0xdb in position 0:
ordinal not in range(128)“, ‘realm’: u’cbatl’, ‘success’: False,
‘privacyidea_server’: ‘127.0.0.1’, ‘client_user_agent’: None, ‘client’:
‘127.0.0.1’, ‘user’: u’jomunoz.site’, ‘action_detail’: ‘’, ‘action’: ‘POST
/validate/check’}
[2015-07-15
16:16:35,885][23371][140372868679424][ERROR][privacyidea.lib.auditmodules.sqlaudit:241]
Traceback (most recent call last):
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/auditmodules/sqlaudit.py”,
line 231, in finalize_log
self.session.commit()
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”, line
721, in commit
self.transaction.commit()
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”, line
354, in commit
self._prepare_impl()
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”, line
334, in _prepare_impl
self.session.flush()
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”, line
1818, in flush
self._flush(objects)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”, line
1936, in _flush
transaction.rollback(_capture_exception=True)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/util/langhelpers.py”,
line 58, in exit
compat.reraise(exc_type, exc_value, exc_tb)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”, line
1900, in _flush
flush_context.execute()
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/unitofwork.py”,
line 372, in execute
rec.execute(self)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/unitofwork.py”,
line 525, in execute
uow
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py”,
line 64, in save_obj
table, insert)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py”,
line 569, in _emit_insert_statements
execute(statement, params)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py”, line
662, in execute
params)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py”, line
761, in _execute_clauseelement
compiled_sql, distilled_params
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py”, line
874, in _execute_context
context)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py”, line
1024, in _handle_dbapi_exception
exc_info
File “/usr/lib/python2.7/dist-packages/sqlalchemy/util/compat.py”, line
196, in raise_from_cause
reraise(type(exception), exception, tb=exc_tb)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py”, line
867, in _execute_context
context)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/default.py”,
line 324, in do_execute
cursor.execute(statement, parameters)
File “/usr/lib/python2.7/dist-packages/MySQLdb/cursors.py”, line 174, in
execute
self.errorhandler(self, exc, value)
File “/usr/lib/python2.7/dist-packages/MySQLdb/connections.py”, line 36,
in defaulterrorhandler
raise errorclass, errorvalue
DataError: (DataError) (1406, “Data too long for column ‘info’ at row 1”)
‘INSERT INTO pidea_audit (date, signature, action, success, serial,
token_type, user, realm, administrator, action_detail, info,
privacyidea_server, client, loglevel, clearance_level) VALUES (%s, %s, %s,
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)’ (datetime.datetime(2015,
7, 15, 16, 16, 35, 883625), ‘’, ‘POST /validate/check’, 0, None, None,
u’jomunoz.site’, u’cbatl’, None, ‘’, u”‘ascii’ codec can’t decode byte 0xdb
in position 0: ordinal not in range(128)", ‘127.0.0.1’, ‘127.0.0.1’, None,
None)On Wednesday, July 15, 2015 at 4:22:35 PM UTC-4, Tom Cole wrote:
So my best option is to have everyone do a new token.
On Wednesday, July 15, 2015 at 4:20:40 PM UTC-4, Cornelius Kölbel wrote:
When do you get the error?
Can you please look into the log file or send the logfile with the
entries leading to the database error?
The system is trying to write something into the info column.
This might be a result to a faulty decryption.
resulting an a non-ascii character.
Anyway - if you really installed PI anew and just used the old database
without the enckey, than the old OTP data would be lost.
Kind regards
Cornelius
Am Mittwoch, den 15.07.2015, 13:14 -0700 schrieb Tom Cole:
Ok - that didnt work, but now I get this error:
DataError: (DataError) (1406, “Data too long for column ‘info’ at row
1”) ‘INSERT INTO pidea_audit (date, signature, action, success,
serial, token_type, user, realm, administrator, action_detail, info,
privacyidea_server, client, loglevel, clearance_level) VALUES (%s, %s,
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %
s)’ (datetime.datetime(2015, 7, 15, 16, 13, 5, 474569), ‘’,
‘POST /validate/check’, 0, None, None, u’jomunoz.site’, u’cbatl’,
None, ‘’, u"‘ascii’ codec can’t decode byte 0xdb in position 0:
ordinal not in range(128)", ‘127.0.0.1’, ‘127.0.0.1’, None, None)
On Wednesday, July 15, 2015 at 3:48:52 PM UTC-4, Cornelius Kölbel wrote:
Hi Tom,
you can either reset the PIN by setting an empty PIN or...
if you are not using PIN or password at all (only OTP value),
then you
can define a policy:
scope: authentication
action: otppin=none
7.3. Authentication policies — privacyIDEA 3.8 documentation
Then users will only authenticate with 123456.
Kind regards
Cornelius
Am Mittwoch, den 15.07.2015, 13:53 -0400 schrieb Tom Cole:
> Ok - since there are no OTP pins how do I reset them? We
don't use
> pins.
>
> > Cornelius Kölbel
> > July 15, 2015 at 13:30
> > If you reinstalled privacyIDEA and you restored the
database then
> > old
> > token will not work.
> >
> > The old tokens in the database will only work with the
encryption
> > key /etc/privacyidea/enckey. This is used
> >
> > 1. to encrypt otp secrets, that are used to calculate the
OTP values
> > 2. hash or encrypt OTP pins, which may lead to "wrong
pin".
> > 3. and encrypt LDAP bindpw.
> >
> > Please reset the OTP PIN of a token and check again.
> > Resyncronize the token, as the counter in the token might
be much
> > bigger
> > than the counter in the database.
> >
> > Regarding the Client IP:
> > Were you using FreeRADIUS, too?
> >
> > Then the request would originate from localhost.
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> > Tom Cole
> > July 15, 2015 at 13:04
> > Someone deleted my VM yesterday with my PI server, so I
recreated it
> > and restored the DB. Now I have 2 "errors"
> > 1) Tokens already in DB fail with "wrong otp pin" even
though no pin
> > was used
> > 2) Client IP is always 127.0.0.1
> >
> > Server info below:
> >
> > privacyIDEA configuration documentation
> > =======================================
> >
> > * System: QTXSNPI01.atl.careerbuilder.com
> > * Date: 2015-07-15 13:03
> >
> > PI.cfg
> > ------
> >
> > PI_HSM: **default**
> >
> > PI_LOGFILE: **/var/log/privacyidea/privacyidea.log**
> >
> > PI_AUDIT_KEY_PUBLIC: **/etc/privacyidea/public.pem**
> >
> > PI_PEPPER: **6bLB1JquhkQTby48RRnyStl7**
> >
> > PI_ENCFILE: **/etc/privacyidea/enckey**
> >
> > For security reason we do not display the SQL URI, as it
may contain
> > the
> > database credentials.
> >
> > PI_AUDIT_MODULE:
**privacyidea.lib.auditmodules.sqlaudit**
> >
> > PI_LOGLEVEL: **20**
> >
> > PI_AUDIT_KEY_PRIVATE: **/etc/privacyidea/private.pem**
> >
> > SUPERUSER_REALM: **['super']**
> > .. note:: The SUPERUSER_REALM is a list of defined realms
where the
> > users
> > will have administrative rights when logging in to the
web UI.
> >
> > Local Admins
> > ------------
> > In addition to the SUPERUSER_REALM there are local
administrators
> > stored in
> > the database. The following administrators are defined:
> >
> > * **admin** <ad...@localhost.com>
> >
> > System Base Configuration
> > -------------------------
> >
> > __timestamp__: **2015-07-14 15:37:35.912288**
> >
> > IncFailCountOnFalsePin: **True**
> >
> > Resolver Configuration
> > ----------------------
> > The following resolvers are defined. Resolvers are
connections to
> > user stores.
> > To learn more about resolvers read [#resolvers]_.
> >
> > cbatl-ldap
> > ~~~~~~~~~~~~~~~~~~
> > * Name of the resolver: cbatl-ldap
> > * Type of the resolver: ldapresolver
> >
> > Configuration
> > .............
> >
> > BINDDN: **cbatl\paldap**
> >
> > AUTHTYPE: **NTLM**
> >
> > LDAPFILTER: **(&(sAMAccountName=%
s)(objectClass=person))**
> >
> > LDAPBASE: **CN=Users,DC=atl,DC=careerbuilder,DC=com**
> >
> > LDAPURI: **ldap://10.240.70.9**
> >
> > LDAPSEARCHFILTER:
**(sAMAccountName=*)(objectClass=person)**
> >
> > UIDTYPE: **DN**
> >
> > BINDPW: **Cb4netops!**
> >
> > USERINFO: **{ "username": "sAMAccountName", "surname" :
"sn",
> > "givenname" : "givenName" }**
> >
> > TIMEOUT: **5**
> >
> > SIZELIMIT: **500**
> >
> > NOREFERRALS: **1**
> >
> > LOGINNAMEATTRIBUTE: **sAMAccountName**
> >
> > Realm Configuration
> > -------------------
> > Several resolvers are grouped into realms.
> > To learn more about realms read [#realms]_.
> > The following realms have been defined from the
resolvers:
> >
> > cbatl
> > ~~~~~~~~~~~~~~~
> > * Name of the realm: cbatl
> >
> > **This is the default realm!**
> >
> > Users in the default realm can authenticate without
specifying the
> > realm.
> > Users not in the default realm always need to specify the
realm.
> >
> > The following resolvers are configured in this realm:
> >
> > * Name: cbatl-ldap
> > Priority: None
> > Type: ldapresolver
> >
> > Policy Configuration
> > --------------------
> > Policies define the behaviour of privacyIDEA.
> > To learn more about policies read [#policies]_.
> >
> > The following policies are defined in your system:
> >
> > Web_Timeout
> > ~~~~~~~~~~~~~~~~~
> >
> > user: **[u'*']**
> >
> > resolver: **[]**
> >
> > active: **True**
> >
> > adminrealm: **[]**
> >
> > condition: **0**
> >
> > realm: **[]**
> >
> > client: **[]**
> >
> > time: ****
> >
> > action: **{u'logout_time': u'300'}**
> >
> > scope: **webui**
> >
> > Token_Defaults
> > ~~~~~~~~~~~~~~~~~
> >
> > user: **[u'*']**
> >
> > resolver: **[]**
> >
> > active: **True**
> >
> > adminrealm: **[]**
> >
> > condition: **0**
> >
> > realm: **[u'cbatl']**
> >
> > client: **[]**
> >
> > time: ****
> >
> > action: **{u'max_token_per_user': u'1', u'tokenlabel':
u'<r>\
> > \<u>'}**
> >
> > scope: **enrollment**
> >
> > Self_Service
> > ~~~~~~~~~~~~~~~~~
> >
> > user: **[u'*']**
> >
> > resolver: **[]**
> >
> > active: **True**
> >
> > adminrealm: **[]**
> >
> > condition: **0**
> >
> > realm: **[u'cbatl']**
> >
> > client: **[]**
> >
> > time: ****
> >
> > action: **{u'enrollTOTP': True, u'enable': True,
u'resync': True,
> > u'delete': True}**
> >
> > scope: **user**
> >
> > Machine Configuration
> > ---------------------
> >
> > **TODO**
> >
> > Token Configuration
> > -------------------
> >
> > **TODO**
> >
> > CA Configuration
> > ----------------
> >
> > **TODO**
> >
> > .. [#resolvers]
> >
http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm
> > .. [#realms]
> >
5.2. Realms — privacyIDEA 3.8 documentation
> > .. [#policies]
> >
http://privacyidea.readthedocs.org/en/latest/policies/index.h
> >
>
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/9a6a18d2-048f-45ab-b2d8-611d9238a710%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel