Errors after restore

Tom_Cole · July 15, 2015, 5:04pm

Someone deleted my VM yesterday with my PI server, so I recreated it and
restored the DB. Now I have 2 “errors”

Tokens already in DB fail with “wrong otp pin” even though no pin was
used
Client IP is always 127.0.0.1

Server info below:

privacyIDEA configuration documentation=======================================

System: QTXSNPI01.atl.careerbuilder.com
Date: 2015-07-15 13:03

PI.cfg

PI_HSM: default

PI_LOGFILE: /var/log/privacyidea/privacyidea.log

PI_AUDIT_KEY_PUBLIC: /etc/privacyidea/public.pem

PI_PEPPER: 6bLB1JquhkQTby48RRnyStl7

PI_ENCFILE: /etc/privacyidea/enckey

For security reason we do not display the SQL URI, as it may contain the
database credentials.

PI_AUDIT_MODULE: privacyidea.lib.auditmodules.sqlaudit

PI_LOGLEVEL: 20

PI_AUDIT_KEY_PRIVATE: /etc/privacyidea/private.pem

SUPERUSER_REALM: [‘super’]
… note:: The SUPERUSER_REALM is a list of defined realms where the users
will have administrative rights when logging in to the web UI.

Local Admins

In addition to the SUPERUSER_REALM there are local administrators stored in
the database. The following administrators are defined:

admin admin@localhost.com

System Base Configuration

timestamp: 2015-07-14 15:37:35.912288

IncFailCountOnFalsePin: True

Resolver Configuration

The following resolvers are defined. Resolvers are connections to user
stores.
To learn more about resolvers read [#resolvers]_.

cbatl-ldap

* Name of the resolver: cbatl-ldap
* Type of the resolver: ldapresolver

Configuration
.............

BINDDN: **cbatl\paldap**

AUTHTYPE: **NTLM**

LDAPFILTER: **(&(sAMAccountName=%s)(objectClass=person))**

LDAPBASE: **CN=Users,DC=atl,DC=careerbuilder,DC=com**

LDAPURI: **ldap://10.240.70.9**

LDAPSEARCHFILTER: **(sAMAccountName=*)(objectClass=person)**

UIDTYPE: **DN**

BINDPW: **Cb4netops!**

USERINFO: **{ "username": "sAMAccountName", "surname" : "sn", "givenname" : 
"givenName" }**

TIMEOUT: **5**

SIZELIMIT: **500**

NOREFERRALS: **1**

LOGINNAMEATTRIBUTE: **sAMAccountName**

Realm Configuration
-------------------
Several resolvers are grouped into realms.
To learn more about realms read [#realms]_.
The following realms have been defined from the resolvers:

cbatl
~~~~~~~~~~~~~~~
* Name of the realm: cbatl

**This is the default realm!**

Users in the default realm can authenticate without specifying the realm.
Users not in the default realm always need to specify the realm.

The following resolvers are configured in this realm:

* Name: cbatl-ldap
  Priority: None
  Type: ldapresolver

Policy Configuration
--------------------
Policies define the behaviour of privacyIDEA.
To learn more about policies read [#policies]_.

The following policies are defined in your system:

Web_Timeout
~~~~~~~~~~~~~~~~~

user: **[u'*']**

resolver: **[]**

active: **True**

adminrealm: **[]**

condition: **0**

realm: **[]**

client: **[]**

time: ****

action: **{u'logout_time': u'300'}**

scope: **webui**

Token_Defaults
~~~~~~~~~~~~~~~~~

user: **[u'*']**

resolver: **[]**

active: **True**

adminrealm: **[]**

condition: **0**

realm: **[u'cbatl']**

client: **[]**

time: ****

action: **{u'max_token_per_user': u'1', u'tokenlabel': u'<r>\\<u>'}**

scope: **enrollment**

Self_Service
~~~~~~~~~~~~~~~~~

user: **[u'*']**

resolver: **[]**

active: **True**

adminrealm: **[]**

condition: **0**

realm: **[u'cbatl']**

client: **[]**

time: ****

action: **{u'enrollTOTP': True, u'enable': True, u'resync': True, 
u'delete': True}**

scope: **user**

Machine Configuration
---------------------

**TODO**

Token Configuration
-------------------

**TODO**

CA Configuration
----------------

**TODO**

.. [#resolvers] 
http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm
.. [#realms] 
http://privacyidea.readthedocs.org/en/latest/configuration/realms.html
.. [#policies] http://privacyidea.readthedocs.org/en/latest/policies/index.h

cornelinux · July 15, 2015, 8:41pm

See inline comments

Here is the full error:

[2015-07-15
16:16:35,734][23371][140372868679424][INFO][privacyidea.lib.auditmodules.sqlaudit:130] using the connect string mysql://pi:hGaKJN_1ZgPJ@localhost/pi
[2015-07-15
16:16:35,756][23371][140372868679424][INFO][privacyidea.lib.user:186]
user u’jomunoz.site’ found in resolver u’cbatl-ldap’
[2015-07-15
16:16:35,756][23371][140372868679424][INFO][privacyidea.lib.user:187]
userid resolved to ‘CN=Johan
Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com’
[2015-07-15
16:16:35,772][23371][140372868679424][INFO][privacyidea.lib.user:186]
user u’jomunoz.site’ found in resolver u’cbatl-ldap’
[2015-07-15
16:16:35,772][23371][140372868679424][INFO][privacyidea.lib.user:187]
userid resolved to ‘CN=Johan
Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com’
[2015-07-15
16:16:35,788][23371][140372868679424][INFO][privacyidea.lib.user:186]
user u’jomunoz.site’ found in resolver u’cbatl-ldap’
[2015-07-15
16:16:35,788][23371][140372868679424][INFO][privacyidea.lib.user:187]
userid resolved to ‘CN=Johan
Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com’
[2015-07-15
16:16:35,804][23371][140372868679424][INFO][privacyidea.lib.user:186]
user u’jomunoz.site’ found in resolver u’cbatl-ldap’
[2015-07-15
16:16:35,804][23371][140372868679424][INFO][privacyidea.lib.user:187]
userid resolved to ‘CN=Johan
Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com’
[2015-07-15
16:16:35,883][23371][140372868679424][ERROR][privacyidea.app:1423]
Exception on /validate/check [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”,
line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”,
line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”,
line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”,
line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”,
line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”,
line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 87, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 87, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py”, line
67, in check_user_or_serial_in_request_wrapper
f_result = func(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 87, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/validate.py”,
line 179, in check
result, details = check_user_pass(user, password, options=options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 77, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 192, in auth_user_passthru
return wrapped_function(user_object, passw, options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 77, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 117, in auth_user_has_no_token
return wrapped_function(user_object, passw, options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 77, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 152, in auth_user_does_not_exist
return wrapped_function(user_object, passw, options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
125, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 1690, in check_user_pass
options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
125, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 1747, in check_token_list
options=options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokenclass.py”, line
357, in authenticate
otp_counter = self.check_otp(otpval, options=options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/totptoken.py”, line 318, in check_otp
symetric=True)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
125, in log_wrapper
f_result = func(*args, **kwds)

The OTP value is about to be calculated by the server.

File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py”,
line 129, in checkOtp
otpval = self.generate(c)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py”,
line 104, in generate
hmac = self.hmac(counter=counter, key=key)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py”,
line 73, in hmac
dig = str(self.secretObj.hmac_digest(data_input, self.hashfunc))
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py”,
line 112, in hmac_digest
self.setupKey()

In reads the encrypted key from the database

File “/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py”,
line 144, in setupKey
akey = decrypt(self.val, self.iv)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
125, in log_wrapper
f_result = func(*args, **kwds)

and tries to decrypt it, to use it to calculate the HOTP

File “/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py”,
line 341, in decrypt
ret = hsm.decrypt(input, iv, id)

…and fails to decrypt a.k.a. only gets garbarge from the decryptionAm Mittwoch, den 15.07.2015, 13:26 -0700 schrieb Tom Cole:

File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/security/default.py”, line 388, in decrypt
eof = output.rfind(u"\x01\x02")
UnicodeDecodeError: ‘ascii’ codec can’t decode byte 0xdb in position
0: ordinal not in range(128)
[2015-07-15
16:16:35,884][23371][140372868679424][ERROR][privacyidea.lib.auditmodules.sqlaudit:239] exception DataError(‘(DataError) (1406, “Data too long for column 'info' at row 1”)’,)
[2015-07-15
16:16:35,885][23371][140372868679424][ERROR][privacyidea.lib.auditmodules.sqlaudit:240] DATA: {‘info’: u"‘ascii’ codec can’t decode byte 0xdb in position 0: ordinal not in range(128)“, ‘realm’: u’cbatl’, ‘success’: False, ‘privacyidea_server’: ‘127.0.0.1’, ‘client_user_agent’: None, ‘client’: ‘127.0.0.1’, ‘user’: u’jomunoz.site’, ‘action_detail’: ‘’, ‘action’: ‘POST /validate/check’}
[2015-07-15
16:16:35,885][23371][140372868679424][ERROR][privacyidea.lib.auditmodules.sqlaudit:241] Traceback (most recent call last):
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/auditmodules/sqlaudit.py”, line 231, in finalize_log
self.session.commit()
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”,
line 721, in commit
self.transaction.commit()
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”,
line 354, in commit
self._prepare_impl()
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”,
line 334, in _prepare_impl
self.session.flush()
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”,
line 1818, in flush
self._flush(objects)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”,
line 1936, in _flush
transaction.rollback(_capture_exception=True)
File
“/usr/lib/python2.7/dist-packages/sqlalchemy/util/langhelpers.py”,
line 58, in exit
compat.reraise(exc_type, exc_value, exc_tb)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”,
line 1900, in _flush
flush_context.execute()
File
“/usr/lib/python2.7/dist-packages/sqlalchemy/orm/unitofwork.py”, line
372, in execute
rec.execute(self)
File
“/usr/lib/python2.7/dist-packages/sqlalchemy/orm/unitofwork.py”, line
525, in execute
uow
File
“/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py”, line
64, in save_obj
table, insert)
File
“/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py”, line
569, in _emit_insert_statements
execute(statement, params)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py”,
line 662, in execute
params)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py”,
line 761, in _execute_clauseelement
compiled_sql, distilled_params
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py”,
line 874, in _execute_context
context)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py”,
line 1024, in _handle_dbapi_exception
exc_info
File “/usr/lib/python2.7/dist-packages/sqlalchemy/util/compat.py”,
line 196, in raise_from_cause
reraise(type(exception), exception, tb=exc_tb)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py”,
line 867, in _execute_context
context)
File
“/usr/lib/python2.7/dist-packages/sqlalchemy/engine/default.py”, line
324, in do_execute
cursor.execute(statement, parameters)
File “/usr/lib/python2.7/dist-packages/MySQLdb/cursors.py”, line
174, in execute
self.errorhandler(self, exc, value)
File “/usr/lib/python2.7/dist-packages/MySQLdb/connections.py”, line
36, in defaulterrorhandler
raise errorclass, errorvalue
DataError: (DataError) (1406, “Data too long for column ‘info’ at row
1”) ‘INSERT INTO pidea_audit (date, signature, action, success,
serial, token_type, user, realm, administrator, action_detail, info,
privacyidea_server, client, loglevel, clearance_level) VALUES (%s, %s,
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %
s)’ (datetime.datetime(2015, 7, 15, 16, 16, 35, 883625), ‘’,
‘POST /validate/check’, 0, None, None, u’jomunoz.site’, u’cbatl’,
None, ‘’, u”‘ascii’ codec can’t decode byte 0xdb in position 0:
ordinal not in range(128)", ‘127.0.0.1’, ‘127.0.0.1’, None, None)

On Wednesday, July 15, 2015 at 4:22:35 PM UTC-4, Tom Cole wrote:

    So my best option is to have everyone do a new token.
    
    On Wednesday, July 15, 2015 at 4:20:40 PM UTC-4, Cornelius Kölbel wrote:
    
            When do you get the error? 
            Can you please look into the log file or send the
            logfile with the 
            entries leading to the database error? 
            
            The system is trying to write something into the info
            column. 
            This might be a result to a faulty decryption. 
            resulting an a non-ascii character. 
            
            Anyway - if you really installed PI anew and just used
            the old database 
            without the enckey, than the old OTP data would be
            lost. 
            
            Kind regards 
            Cornelius 
            
            
            
            Am Mittwoch, den 15.07.2015, 13:14 -0700 schrieb Tom
            Cole: 
            > Ok - that didnt work, but now I get this error: 
            > DataError: (DataError) (1406, "Data too long for
            column 'info' at row 
            > 1") 'INSERT INTO pidea_audit (date, signature,
            action, success, 
            > serial, token_type, user, realm, administrator,
            action_detail, info, 
            > privacyidea_server, client, loglevel,
            clearance_level) VALUES (%s, %s, 
            > %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, % 
            > s)' (datetime.datetime(2015, 7, 15, 16, 13, 5,
            474569), '', 
            > 'POST /validate/check', 0, None, None,
            u'jomunoz.site', u'cbatl', 
            > None, '', u"'ascii' codec can't decode byte 0xdb in
            position 0: 
            > ordinal not in range(128)", '127.0.0.1',
            '127.0.0.1', None, None) 
            > On Wednesday, July 15, 2015 at 3:48:52 PM UTC-4, Cornelius Kölbel  wrote: 
            >         Hi Tom, 
            >         
            >         you can either reset the PIN by setting an
            empty PIN or... 
            >         
            >         if you are not using PIN or password at all
            (only OTP value), 
            >         then you 
            >         can define a policy: 
            >         
            >         scope: authentication 
            >         action: otppin=none 
            >         
            >
            http://privacyidea.readthedocs.org/en/latest/policies/authentication.html#otppin 
            >         
            >         Then users will only authenticate with
            123456. 
            >         
            >         Kind regards 
            >         Cornelius 
            >         
            >         
            >         Am Mittwoch, den 15.07.2015, 13:53 -0400
            schrieb Tom Cole: 
            >         > Ok - since there are no OTP pins how do I
            reset them?  We 
            >         don't use 
            >         > pins. 
            >         > 
            >         > > Cornelius Kölbel 
            >         > > July 15, 2015 at 13:30 
            >         > > If you reinstalled privacyIDEA and you
            restored the 
            >         database then 
            >         > > old 
            >         > > token will not work. 
            >         > > 
            >         > > The old tokens in the database will only
            work with the 
            >         encryption 
            >         > > key /etc/privacyidea/enckey. This is
            used 
            >         > > 
            >         > > 1. to encrypt otp secrets, that are used
            to calculate the 
            >         OTP values 
            >         > > 2. hash or encrypt OTP pins, which may
            lead to "wrong 
            >         pin". 
            >         > > 3. and encrypt LDAP bindpw. 
            >         > > 
            >         > > Please reset the OTP PIN of a token and
            check again. 
            >         > > Resyncronize the token, as the counter
            in the token might 
            >         be much 
            >         > > bigger 
            >         > > than the counter in the database. 
            >         > > 
            >         > > Regarding the Client IP: 
            >         > > Were you using FreeRADIUS, too? 
            >         > > 
            >         > > Then the request would originate from
            localhost. 
            >         > > 
            >         > > Kind regards 
            >         > > Cornelius 
            >         > > 
            >         > > 
            >         > > 
            >         > > 
            >         > > Tom Cole 
            >         > > July 15, 2015 at 13:04 
            >         > > Someone deleted my VM yesterday with my
            PI server, so I 
            >         recreated it 
            >         > > and restored the DB.  Now I have 2
            "errors" 
            >         > > 1) Tokens already in DB fail with "wrong
            otp pin" even 
            >         though no pin 
            >         > > was used 
            >         > > 2) Client IP is always 127.0.0.1 
            >         > > 
            >         > > Server info below: 
            >         > > 
            >         > > privacyIDEA configuration documentation 
            >         > > ======================================= 
            >         > > 
            >         > > * System:
            QTXSNPI01.atl.careerbuilder.com 
            >         > > * Date: 2015-07-15 13:03 
            >         > > 
            >         > > PI.cfg 
            >         > > ------ 
            >         > > 
            >         > > PI_HSM: **default** 
            >         > > 
            >         > > PI_LOGFILE:
            **/var/log/privacyidea/privacyidea.log** 
            >         > > 
            >         > > PI_AUDIT_KEY_PUBLIC:
            **/etc/privacyidea/public.pem** 
            >         > > 
            >         > > PI_PEPPER: **6bLB1JquhkQTby48RRnyStl7** 
            >         > > 
            >         > > PI_ENCFILE: **/etc/privacyidea/enckey** 
            >         > > 
            >         > > For security reason we do not display
            the SQL URI, as it 
            >         may contain 
            >         > > the 
            >         > > database credentials. 
            >         > > 
            >         > > PI_AUDIT_MODULE: 
            >         **privacyidea.lib.auditmodules.sqlaudit** 
            >         > > 
            >         > > PI_LOGLEVEL: **20** 
            >         > > 
            >         > > PI_AUDIT_KEY_PRIVATE:
            **/etc/privacyidea/private.pem** 
            >         > > 
            >         > > SUPERUSER_REALM: **['super']** 
            >         > > .. note:: The SUPERUSER_REALM is a list
            of defined realms 
            >         where the 
            >         > > users 
            >         > >    will have administrative rights when
            logging in to the 
            >         web UI. 
            >         > > 
            >         > > Local Admins 
            >         > > ------------ 
            >         > > In addition to the SUPERUSER_REALM there
            are local 
            >         administrators 
            >         > > stored in 
            >         > > the database. The following
            administrators are defined: 
            >         > > 
            >         > > * **admin** <ad...@localhost.com> 
            >         > > 
            >         > > System Base Configuration 
            >         > > ------------------------- 
            >         > > 
            >         > > __timestamp__: **2015-07-14
            15:37:35.912288** 
            >         > > 
            >         > > IncFailCountOnFalsePin: **True** 
            >         > > 
            >         > > Resolver Configuration 
            >         > > ---------------------- 
            >         > > The following resolvers are defined.
            Resolvers are 
            >         connections to 
            >         > > user stores. 
            >         > > To learn more about resolvers read
            [#resolvers]_. 
            >         > > 
            >         > > cbatl-ldap 
            >         > > ~~~~~~~~~~~~~~~~~~ 
            >         > > * Name of the resolver: cbatl-ldap 
            >         > > * Type of the resolver: ldapresolver 
            >         > > 
            >         > > Configuration 
            >         > > ............. 
            >         > > 
            >         > > BINDDN: **cbatl\paldap** 
            >         > > 
            >         > > AUTHTYPE: **NTLM** 
            >         > > 
            >         > > LDAPFILTER: **(&(sAMAccountName=% 
            >         s)(objectClass=person))** 
            >         > > 
            >         > > LDAPBASE:
            **CN=Users,DC=atl,DC=careerbuilder,DC=com** 
            >         > > 
            >         > > LDAPURI: **ldap://10.240.70.9** 
            >         > > 
            >         > > LDAPSEARCHFILTER: 
            >         **(sAMAccountName=*)(objectClass=person)** 
            >         > > 
            >         > > UIDTYPE: **DN** 
            >         > > 
            >         > > BINDPW: **Cb4netops!** 
            >         > > 
            >         > > USERINFO: **{ "username":
            "sAMAccountName", "surname" : 
            >         "sn", 
            >         > > "givenname" : "givenName" }** 
            >         > > 
            >         > > TIMEOUT: **5** 
            >         > > 
            >         > > SIZELIMIT: **500** 
            >         > > 
            >         > > NOREFERRALS: **1** 
            >         > > 
            >         > > LOGINNAMEATTRIBUTE: **sAMAccountName** 
            >         > > 
            >         > > Realm Configuration 
            >         > > ------------------- 
            >         > > Several resolvers are grouped into
            realms. 
            >         > > To learn more about realms read
            [#realms]_. 
            >         > > The following realms have been defined
            from the 
            >         resolvers: 
            >         > > 
            >         > > cbatl 
            >         > > ~~~~~~~~~~~~~~~ 
            >         > > * Name of the realm: cbatl 
            >         > > 
            >         > > **This is the default realm!** 
            >         > > 
            >         > > Users in the default realm can
            authenticate without 
            >         specifying the 
            >         > > realm. 
            >         > > Users not in the default realm always
            need to specify the 
            >         realm. 
            >         > > 
            >         > > The following resolvers are configured
            in this realm: 
            >         > > 
            >         > > * Name: cbatl-ldap 
            >         > >   Priority: None 
            >         > >   Type: ldapresolver 
            >         > > 
            >         > > Policy Configuration 
            >         > > -------------------- 
            >         > > Policies define the behaviour of
            privacyIDEA. 
            >         > > To learn more about policies read
            [#policies]_. 
            >         > > 
            >         > > The following policies are defined in
            your system: 
            >         > > 
            >         > > Web_Timeout 
            >         > > ~~~~~~~~~~~~~~~~~ 
            >         > > 
            >         > > user: **[u'*']** 
            >         > > 
            >         > > resolver: **[]** 
            >         > > 
            >         > > active: **True** 
            >         > > 
            >         > > adminrealm: **[]** 
            >         > > 
            >         > > condition: **0** 
            >         > > 
            >         > > realm: **[]** 
            >         > > 
            >         > > client: **[]** 
            >         > > 
            >         > > time: **** 
            >         > > 
            >         > > action: **{u'logout_time': u'300'}** 
            >         > > 
            >         > > scope: **webui** 
            >         > > 
            >         > > Token_Defaults 
            >         > > ~~~~~~~~~~~~~~~~~ 
            >         > > 
            >         > > user: **[u'*']** 
            >         > > 
            >         > > resolver: **[]** 
            >         > > 
            >         > > active: **True** 
            >         > > 
            >         > > adminrealm: **[]** 
            >         > > 
            >         > > condition: **0** 
            >         > > 
            >         > > realm: **[u'cbatl']** 
            >         > > 
            >         > > client: **[]** 
            >         > > 
            >         > > time: **** 
            >         > > 
            >         > > action: **{u'max_token_per_user': u'1',
            u'tokenlabel': 
            >         u'<r>\ 
            >         > > \<u>'}** 
            >         > > 
            >         > > scope: **enrollment** 
            >         > > 
            >         > > Self_Service 
            >         > > ~~~~~~~~~~~~~~~~~ 
            >         > > 
            >         > > user: **[u'*']** 
            >         > > 
            >         > > resolver: **[]** 
            >         > > 
            >         > > active: **True** 
            >         > > 
            >         > > adminrealm: **[]** 
            >         > > 
            >         > > condition: **0** 
            >         > > 
            >         > > realm: **[u'cbatl']** 
            >         > > 
            >         > > client: **[]** 
            >         > > 
            >         > > time: **** 
            >         > > 
            >         > > action: **{u'enrollTOTP': True,
            u'enable': True, 
            >         u'resync': True, 
            >         > > u'delete': True}** 
            >         > > 
            >         > > scope: **user** 
            >         > > 
            >         > > Machine Configuration 
            >         > > --------------------- 
            >         > > 
            >         > > **TODO** 
            >         > > 
            >         > > Token Configuration 
            >         > > ------------------- 
            >         > > 
            >         > > **TODO** 
            >         > > 
            >         > > CA Configuration 
            >         > > ---------------- 
            >         > > 
            >         > > **TODO** 
            >         > > 
            >         > > .. [#resolvers] 
            >         > > 
            >
            http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm 
            >         > > .. [#realms] 
            >         > > 
            >
            http://privacyidea.readthedocs.org/en/latest/configuration/realms.html 
            >         > > .. [#policies] 
            >         > > 
            >
            http://privacyidea.readthedocs.org/en/latest/policies/index.h 
            >         > > 
            >         > 
            >         -- 
            >         Cornelius Kölbel 
            >         corneliu...@netknights.it 
            >         +49 151 2960 1417 
            >         
            >         NetKnights GmbH 
            >         http://www.netknights.it 
            >         Landgraf-Karl-Str. 19, 34131 Kassel,
            Germany 
            >         Tel: +49 561 3166797, Fax: +49 561 3166798 
            >         
            >         Amtsgericht Kassel, HRB 16405 
            >         Geschäftsführer: Cornelius Kölbel 
            >         
            >         
            > -- 
            > You received this message because you are subscribed
            to the Google 
            > Groups "privacyidea" group. 
            > To unsubscribe from this group and stop receiving
            emails from it, send 
            > an email to privacyidea...@googlegroups.com. 
            > To post to this group, send email to
            priva...@googlegroups.com. 
            > To view this discussion on the web visit 
            >
            https://groups.google.com/d/msgid/privacyidea/9a6a18d2-048f-45ab-b2d8-611d9238a710%40googlegroups.com. 
            > For more options, visit
            https://groups.google.com/d/optout. 
            
            -- 
            Cornelius Kölbel 
            corneliu...@netknights.it 
            +49 151 2960 1417 
            
            NetKnights GmbH 
            http://www.netknights.it 
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
            Tel: +49 561 3166797, Fax: +49 561 3166798 
            
            Amtsgericht Kassel, HRB 16405 
            Geschäftsführer: Cornelius Kölbel

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/d9414ca9-9e9c-43e6-a0f2-2156fd47c7ad%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

cornelinux · July 15, 2015, 8:35pm

What kind of tokens did you enroll?

Smartphone App, SMS?
Using hardware token you could just import the seedfile again.

Kind regards
CorneliusAm Mittwoch, den 15.07.2015, 13:22 -0700 schrieb Tom Cole:

So my best option is to have everyone do a new token.

On Wednesday, July 15, 2015 at 4:20:40 PM UTC-4, Cornelius Kölbel wrote:
When do you get the error?
Can you please look into the log file or send the logfile with
the
entries leading to the database error?

    The system is trying to write something into the info column. 
    This might be a result to a faulty decryption. 
    resulting an a non-ascii character. 
    
    Anyway - if you really installed PI anew and just used the old
    database 
    without the enckey, than the old OTP data would be lost. 
    
    Kind regards 
    Cornelius 
    
    
    
    Am Mittwoch, den 15.07.2015, 13:14 -0700 schrieb Tom Cole: 
    > Ok - that didnt work, but now I get this error: 
    > DataError: (DataError) (1406, "Data too long for column
    'info' at row 
    > 1") 'INSERT INTO pidea_audit (date, signature, action,
    success, 
    > serial, token_type, user, realm, administrator,
    action_detail, info, 
    > privacyidea_server, client, loglevel, clearance_level)
    VALUES (%s, %s, 
    > %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, % 
    > s)' (datetime.datetime(2015, 7, 15, 16, 13, 5, 474569), '', 
    > 'POST /validate/check', 0, None, None, u'jomunoz.site',
    u'cbatl', 
    > None, '', u"'ascii' codec can't decode byte 0xdb in position
    0: 
    > ordinal not in range(128)", '127.0.0.1', '127.0.0.1', None,
    None) 
    > On Wednesday, July 15, 2015 at 3:48:52 PM UTC-4, Cornelius Kölbel  wrote: 
    >         Hi Tom, 
    >         
    >         you can either reset the PIN by setting an empty PIN
    or... 
    >         
    >         if you are not using PIN or password at all (only
    OTP value), 
    >         then you 
    >         can define a policy: 
    >         
    >         scope: authentication 
    >         action: otppin=none 
    >         
    >
    http://privacyidea.readthedocs.org/en/latest/policies/authentication.html#otppin 
    >         
    >         Then users will only authenticate with 123456. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         Am Mittwoch, den 15.07.2015, 13:53 -0400 schrieb Tom
    Cole: 
    >         > Ok - since there are no OTP pins how do I reset
    them?  We 
    >         don't use 
    >         > pins. 
    >         > 
    >         > > Cornelius Kölbel 
    >         > > July 15, 2015 at 13:30 
    >         > > If you reinstalled privacyIDEA and you restored
    the 
    >         database then 
    >         > > old 
    >         > > token will not work. 
    >         > > 
    >         > > The old tokens in the database will only work
    with the 
    >         encryption 
    >         > > key /etc/privacyidea/enckey. This is used 
    >         > > 
    >         > > 1. to encrypt otp secrets, that are used to
    calculate the 
    >         OTP values 
    >         > > 2. hash or encrypt OTP pins, which may lead to
    "wrong 
    >         pin". 
    >         > > 3. and encrypt LDAP bindpw. 
    >         > > 
    >         > > Please reset the OTP PIN of a token and check
    again. 
    >         > > Resyncronize the token, as the counter in the
    token might 
    >         be much 
    >         > > bigger 
    >         > > than the counter in the database. 
    >         > > 
    >         > > Regarding the Client IP: 
    >         > > Were you using FreeRADIUS, too? 
    >         > > 
    >         > > Then the request would originate from
    localhost. 
    >         > > 
    >         > > Kind regards 
    >         > > Cornelius 
    >         > > 
    >         > > 
    >         > > 
    >         > > 
    >         > > Tom Cole 
    >         > > July 15, 2015 at 13:04 
    >         > > Someone deleted my VM yesterday with my PI
    server, so I 
    >         recreated it 
    >         > > and restored the DB.  Now I have 2 "errors" 
    >         > > 1) Tokens already in DB fail with "wrong otp
    pin" even 
    >         though no pin 
    >         > > was used 
    >         > > 2) Client IP is always 127.0.0.1 
    >         > > 
    >         > > Server info below: 
    >         > > 
    >         > > privacyIDEA configuration documentation 
    >         > > ======================================= 
    >         > > 
    >         > > * System: QTXSNPI01.atl.careerbuilder.com 
    >         > > * Date: 2015-07-15 13:03 
    >         > > 
    >         > > PI.cfg 
    >         > > ------ 
    >         > > 
    >         > > PI_HSM: **default** 
    >         > > 
    >         > > PI_LOGFILE:
    **/var/log/privacyidea/privacyidea.log** 
    >         > > 
    >         > > PI_AUDIT_KEY_PUBLIC:
    **/etc/privacyidea/public.pem** 
    >         > > 
    >         > > PI_PEPPER: **6bLB1JquhkQTby48RRnyStl7** 
    >         > > 
    >         > > PI_ENCFILE: **/etc/privacyidea/enckey** 
    >         > > 
    >         > > For security reason we do not display the SQL
    URI, as it 
    >         may contain 
    >         > > the 
    >         > > database credentials. 
    >         > > 
    >         > > PI_AUDIT_MODULE: 
    >         **privacyidea.lib.auditmodules.sqlaudit** 
    >         > > 
    >         > > PI_LOGLEVEL: **20** 
    >         > > 
    >         > > PI_AUDIT_KEY_PRIVATE:
    **/etc/privacyidea/private.pem** 
    >         > > 
    >         > > SUPERUSER_REALM: **['super']** 
    >         > > .. note:: The SUPERUSER_REALM is a list of
    defined realms 
    >         where the 
    >         > > users 
    >         > >    will have administrative rights when logging
    in to the 
    >         web UI. 
    >         > > 
    >         > > Local Admins 
    >         > > ------------ 
    >         > > In addition to the SUPERUSER_REALM there are
    local 
    >         administrators 
    >         > > stored in 
    >         > > the database. The following administrators are
    defined: 
    >         > > 
    >         > > * **admin** <ad...@localhost.com> 
    >         > > 
    >         > > System Base Configuration 
    >         > > ------------------------- 
    >         > > 
    >         > > __timestamp__: **2015-07-14 15:37:35.912288** 
    >         > > 
    >         > > IncFailCountOnFalsePin: **True** 
    >         > > 
    >         > > Resolver Configuration 
    >         > > ---------------------- 
    >         > > The following resolvers are defined. Resolvers
    are 
    >         connections to 
    >         > > user stores. 
    >         > > To learn more about resolvers read
    [#resolvers]_. 
    >         > > 
    >         > > cbatl-ldap 
    >         > > ~~~~~~~~~~~~~~~~~~ 
    >         > > * Name of the resolver: cbatl-ldap 
    >         > > * Type of the resolver: ldapresolver 
    >         > > 
    >         > > Configuration 
    >         > > ............. 
    >         > > 
    >         > > BINDDN: **cbatl\paldap** 
    >         > > 
    >         > > AUTHTYPE: **NTLM** 
    >         > > 
    >         > > LDAPFILTER: **(&(sAMAccountName=% 
    >         s)(objectClass=person))** 
    >         > > 
    >         > > LDAPBASE:
    **CN=Users,DC=atl,DC=careerbuilder,DC=com** 
    >         > > 
    >         > > LDAPURI: **ldap://10.240.70.9** 
    >         > > 
    >         > > LDAPSEARCHFILTER: 
    >         **(sAMAccountName=*)(objectClass=person)** 
    >         > > 
    >         > > UIDTYPE: **DN** 
    >         > > 
    >         > > BINDPW: **Cb4netops!** 
    >         > > 
    >         > > USERINFO: **{ "username": "sAMAccountName",
    "surname" : 
    >         "sn", 
    >         > > "givenname" : "givenName" }** 
    >         > > 
    >         > > TIMEOUT: **5** 
    >         > > 
    >         > > SIZELIMIT: **500** 
    >         > > 
    >         > > NOREFERRALS: **1** 
    >         > > 
    >         > > LOGINNAMEATTRIBUTE: **sAMAccountName** 
    >         > > 
    >         > > Realm Configuration 
    >         > > ------------------- 
    >         > > Several resolvers are grouped into realms. 
    >         > > To learn more about realms read [#realms]_. 
    >         > > The following realms have been defined from the 
    >         resolvers: 
    >         > > 
    >         > > cbatl 
    >         > > ~~~~~~~~~~~~~~~ 
    >         > > * Name of the realm: cbatl 
    >         > > 
    >         > > **This is the default realm!** 
    >         > > 
    >         > > Users in the default realm can authenticate
    without 
    >         specifying the 
    >         > > realm. 
    >         > > Users not in the default realm always need to
    specify the 
    >         realm. 
    >         > > 
    >         > > The following resolvers are configured in this
    realm: 
    >         > > 
    >         > > * Name: cbatl-ldap 
    >         > >   Priority: None 
    >         > >   Type: ldapresolver 
    >         > > 
    >         > > Policy Configuration 
    >         > > -------------------- 
    >         > > Policies define the behaviour of privacyIDEA. 
    >         > > To learn more about policies read [#policies]_. 
    >         > > 
    >         > > The following policies are defined in your
    system: 
    >         > > 
    >         > > Web_Timeout 
    >         > > ~~~~~~~~~~~~~~~~~ 
    >         > > 
    >         > > user: **[u'*']** 
    >         > > 
    >         > > resolver: **[]** 
    >         > > 
    >         > > active: **True** 
    >         > > 
    >         > > adminrealm: **[]** 
    >         > > 
    >         > > condition: **0** 
    >         > > 
    >         > > realm: **[]** 
    >         > > 
    >         > > client: **[]** 
    >         > > 
    >         > > time: **** 
    >         > > 
    >         > > action: **{u'logout_time': u'300'}** 
    >         > > 
    >         > > scope: **webui** 
    >         > > 
    >         > > Token_Defaults 
    >         > > ~~~~~~~~~~~~~~~~~ 
    >         > > 
    >         > > user: **[u'*']** 
    >         > > 
    >         > > resolver: **[]** 
    >         > > 
    >         > > active: **True** 
    >         > > 
    >         > > adminrealm: **[]** 
    >         > > 
    >         > > condition: **0** 
    >         > > 
    >         > > realm: **[u'cbatl']** 
    >         > > 
    >         > > client: **[]** 
    >         > > 
    >         > > time: **** 
    >         > > 
    >         > > action: **{u'max_token_per_user': u'1',
    u'tokenlabel': 
    >         u'<r>\ 
    >         > > \<u>'}** 
    >         > > 
    >         > > scope: **enrollment** 
    >         > > 
    >         > > Self_Service 
    >         > > ~~~~~~~~~~~~~~~~~ 
    >         > > 
    >         > > user: **[u'*']** 
    >         > > 
    >         > > resolver: **[]** 
    >         > > 
    >         > > active: **True** 
    >         > > 
    >         > > adminrealm: **[]** 
    >         > > 
    >         > > condition: **0** 
    >         > > 
    >         > > realm: **[u'cbatl']** 
    >         > > 
    >         > > client: **[]** 
    >         > > 
    >         > > time: **** 
    >         > > 
    >         > > action: **{u'enrollTOTP': True, u'enable':
    True, 
    >         u'resync': True, 
    >         > > u'delete': True}** 
    >         > > 
    >         > > scope: **user** 
    >         > > 
    >         > > Machine Configuration 
    >         > > --------------------- 
    >         > > 
    >         > > **TODO** 
    >         > > 
    >         > > Token Configuration 
    >         > > ------------------- 
    >         > > 
    >         > > **TODO** 
    >         > > 
    >         > > CA Configuration 
    >         > > ---------------- 
    >         > > 
    >         > > **TODO** 
    >         > > 
    >         > > .. [#resolvers] 
    >         > > 
    >
    http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm 
    >         > > .. [#realms] 
    >         > > 
    >
    http://privacyidea.readthedocs.org/en/latest/configuration/realms.html 
    >         > > .. [#policies] 
    >         > > 
    >
    http://privacyidea.readthedocs.org/en/latest/policies/index.h 
    >         > > 
    >         > 
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/9a6a18d2-048f-45ab-b2d8-611d9238a710%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/dc797822-5055-47e9-bb3d-f72362787693%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Tom_Cole · July 15, 2015, 5:20pm

Forgot to mention - New tokens work fine>

Tom_Cole · July 15, 2015, 8:14pm

Ok - that didnt work, but now I get this error:
DataError: (DataError) (1406, “Data too long for column ‘info’ at row 1”)
‘INSERT INTO pidea_audit (date, signature, action, success, serial,
token_type, user, realm, administrator, action_detail, info,
privacyidea_server, client, loglevel, clearance_level) VALUES (%s, %s, %s,
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)’ (datetime.datetime(2015,
7, 15, 16, 13, 5, 474569), ‘’, ‘POST /validate/check’, 0, None, None,
u’jomunoz.site’, u’cbatl’, None, ‘’, u"‘ascii’ codec can’t decode byte 0xdb
in position 0: ordinal not in range(128)", ‘127.0.0.1’, ‘127.0.0.1’, None,
None)On Wednesday, July 15, 2015 at 3:48:52 PM UTC-4, Cornelius Kölbel wrote:

Hi Tom,

you can either reset the PIN by setting an empty PIN or…

if you are not using PIN or password at all (only OTP value), then you
can define a policy:

scope: authentication
action: otppin=none

7.3. Authentication policies — privacyIDEA 3.8 documentation

Then users will only authenticate with 123456.

Kind regards
Cornelius

Am Mittwoch, den 15.07.2015, 13:53 -0400 schrieb Tom Cole:
Ok - since there are no OTP pins how do I reset them? We don’t use
pins.
Cornelius Kölbel
July 15, 2015 at 13:30
If you reinstalled privacyIDEA and you restored the database then
old
token will not work.

The old tokens in the database will only work with the encryption
key /etc/privacyidea/enckey. This is used

to encrypt otp secrets, that are used to calculate the OTP values

hash or encrypt OTP pins, which may lead to “wrong pin”.

and encrypt LDAP bindpw.

Please reset the OTP PIN of a token and check again.
Resyncronize the token, as the counter in the token might be much
bigger
than the counter in the database.

Regarding the Client IP:
Were you using FreeRADIUS, too?

Then the request would originate from localhost.

Kind regards
Cornelius

Tom Cole
July 15, 2015 at 13:04
Someone deleted my VM yesterday with my PI server, so I recreated it
and restored the DB. Now I have 2 “errors”

Tokens already in DB fail with “wrong otp pin” even though no pin
was used

Client IP is always 127.0.0.1

Server info below:

privacyIDEA configuration documentation

System: QTXSNPI01.atl.careerbuilder.com

Date: 2015-07-15 13:03

PI.cfg

PI_HSM: default

PI_LOGFILE: /var/log/privacyidea/privacyidea.log

PI_AUDIT_KEY_PUBLIC: /etc/privacyidea/public.pem

PI_PEPPER: 6bLB1JquhkQTby48RRnyStl7

PI_ENCFILE: /etc/privacyidea/enckey

For security reason we do not display the SQL URI, as it may contain
the
database credentials.

PI_AUDIT_MODULE: privacyidea.lib.auditmodules.sqlaudit

PI_LOGLEVEL: 20

PI_AUDIT_KEY_PRIVATE: /etc/privacyidea/private.pem

SUPERUSER_REALM: [‘super’]
… note:: The SUPERUSER_REALM is a list of defined realms where the
users
will have administrative rights when logging in to the web UI.

Local Admins

In addition to the SUPERUSER_REALM there are local administrators
stored in
the database. The following administrators are defined:

admin <ad...@localhost.com <javascript:>>

System Base Configuration

timestamp: 2015-07-14 15:37:35.912288

IncFailCountOnFalsePin: True

Resolver Configuration

The following resolvers are defined. Resolvers are connections to
user stores.
To learn more about resolvers read [#resolvers]_.

cbatl-ldap
* Name of the resolver: cbatl-ldap 
* Type of the resolver: ldapresolver 

Configuration 
............. 

BINDDN: **cbatl\paldap** 

AUTHTYPE: **NTLM** 

LDAPFILTER: **(&(sAMAccountName=%s)(objectClass=person))** 

LDAPBASE: **CN=Users,DC=atl,DC=careerbuilder,DC=com** 

LDAPURI: **ldap://10.240.70.9** 

LDAPSEARCHFILTER: **(sAMAccountName=*)(objectClass=person)** 

UIDTYPE: **DN** 

BINDPW: **Cb4netops!** 

USERINFO: **{ "username": "sAMAccountName", "surname" : "sn", 
"givenname" : "givenName" }** 

TIMEOUT: **5** 

SIZELIMIT: **500** 

NOREFERRALS: **1** 

LOGINNAMEATTRIBUTE: **sAMAccountName** 

Realm Configuration 
------------------- 
Several resolvers are grouped into realms. 
To learn more about realms read [#realms]_. 
The following realms have been defined from the resolvers: 

cbatl 
~~~~~~~~~~~~~~~ 
* Name of the realm: cbatl 

**This is the default realm!** 

Users in the default realm can authenticate without specifying the 
realm. 
Users not in the default realm always need to specify the realm. 

The following resolvers are configured in this realm: 

* Name: cbatl-ldap 
 Priority: None 
 Type: ldapresolver 

Policy Configuration 
-------------------- 
Policies define the behaviour of privacyIDEA. 
To learn more about policies read [#policies]_. 

The following policies are defined in your system: 

Web_Timeout 
~~~~~~~~~~~~~~~~~ 

user: **[u'*']** 

resolver: **[]** 

active: **True** 

adminrealm: **[]** 

condition: **0** 

realm: **[]** 

client: **[]** 

time: **** 

action: **{u'logout_time': u'300'}** 

scope: **webui** 

Token_Defaults 
~~~~~~~~~~~~~~~~~ 

user: **[u'*']** 

resolver: **[]** 

active: **True** 

adminrealm: **[]** 

condition: **0** 

realm: **[u'cbatl']** 

client: **[]** 

time: **** 

action: **{u'max_token_per_user': u'1', u'tokenlabel': u'<r>\ 
\'}** 

scope: **enrollment** 

Self_Service 
~~~~~~~~~~~~~~~~~ 

user: **[u'*']** 

resolver: **[]** 

active: **True** 

adminrealm: **[]** 

condition: **0** 

realm: **[u'cbatl']** 

client: **[]** 

time: **** 

action: **{u'enrollTOTP': True, u'enable': True, u'resync': True, 
u'delete': True}** 

scope: **user** 

Machine Configuration 
--------------------- 

**TODO** 

Token Configuration 
------------------- 

**TODO** 

CA Configuration 
---------------- 

**TODO** 

.. [#resolvers] 
http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm

… [#realms]
5.2. Realms — privacyIDEA 3.8 documentation
… [#policies]
http://privacyidea.readthedocs.org/en/latest/policies/index.h

–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

cornelinux · July 15, 2015, 8:47pm

Hm. But don’t let Larry also delete the VM together with the snapshot!Am Mittwoch, den 15.07.2015, 13:38 -0700 schrieb Tom Cole:

Darn - and garbage day was Monday. Dont worry, this time I took a
snapshot of the VM, just in case.

On Wednesday, July 15, 2015 at 4:33:43 PM UTC-4, Cornelius Kölbel wrote:
Hi Tom,

    ahem. Well, the idea is that the database administrator is not
    able to 
    steal sensitive data. Or sensitive data can not be read if
    transmitted 
    over IP to the database without SSL. 
    So several data in the database is encrypted. 
    
    The encryption is performed using an encryption key in the
    simplest way 
    in the file specified in the pi.cfg with the key PI_ENCFILE. 
    (see 
    http://privacyidea.readthedocs.org/en/latest/installation/system/inifile.html) 
    
    So if you want to have a complete backup, you should at least
    backup the 
    enckey file once and the database every now and then. 
    
    Yes. If you just recovered the database, this database is... 
    ...data garbage. 
    
    There might be a more elaborate chapter about backup and
    restore... 
    
    If you are running VMs the easiest way is to make a backup of
    the VM - 
    somewhere in the start. Later you can create snapshots/backups
    of the 
    database... 
    
    Kind regards 
    Cornelius 
    
    Am Mittwoch, den 15.07.2015, 13:22 -0700 schrieb Tom Cole: 
    > So my best option is to have everyone do a new token. 
    > 
    > On Wednesday, July 15, 2015 at 4:20:40 PM UTC-4, Cornelius Kölbel  wrote: 
    >         When do you get the error? 
    >         Can you please look into the log file or send the
    logfile with 
    >         the 
    >         entries leading to the database error? 
    >         
    >         The system is trying to write something into the
    info column. 
    >         This might be a result to a faulty decryption. 
    >         resulting an a non-ascii character. 
    >         
    >         Anyway - if you really installed PI anew and just
    used the old 
    >         database 
    >         without the enckey, than the old OTP data would be
    lost. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         
    >         Am Mittwoch, den 15.07.2015, 13:14 -0700 schrieb Tom
    Cole: 
    >         > Ok - that didnt work, but now I get this error: 
    >         > DataError: (DataError) (1406, "Data too long for
    column 
    >         'info' at row 
    >         > 1") 'INSERT INTO pidea_audit (date, signature,
    action, 
    >         success, 
    >         > serial, token_type, user, realm, administrator, 
    >         action_detail, info, 
    >         > privacyidea_server, client, loglevel,
    clearance_level) 
    >         VALUES (%s, %s, 
    >         > %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, % 
    >         > s)' (datetime.datetime(2015, 7, 15, 16, 13, 5,
    474569), '', 
    >         > 'POST /validate/check', 0, None, None,
    u'jomunoz.site', 
    >         u'cbatl', 
    >         > None, '', u"'ascii' codec can't decode byte 0xdb
    in position 
    >         0: 
    >         > ordinal not in range(128)", '127.0.0.1',
    '127.0.0.1', None, 
    >         None) 
    >         > On Wednesday, July 15, 2015 at 3:48:52 PM UTC-4, Cornelius  Kölbel  wrote: 
    >         >         Hi Tom, 
    >         >         
    >         >         you can either reset the PIN by setting an
    empty PIN 
    >         or... 
    >         >         
    >         >         if you are not using PIN or password at
    all (only 
    >         OTP value), 
    >         >         then you 
    >         >         can define a policy: 
    >         >         
    >         >         scope: authentication 
    >         >         action: otppin=none 
    >         >         
    >         > 
    >
    http://privacyidea.readthedocs.org/en/latest/policies/authentication.html#otppin 
    >         >         
    >         >         Then users will only authenticate with
    123456. 
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         
    >         >         Am Mittwoch, den 15.07.2015, 13:53 -0400
    schrieb Tom 
    >         Cole: 
    >         >         > Ok - since there are no OTP pins how do
    I reset 
    >         them?  We 
    >         >         don't use 
    >         >         > pins. 
    >         >         > 
    >         >         > > Cornelius Kölbel 
    >         >         > > July 15, 2015 at 13:30 
    >         >         > > If you reinstalled privacyIDEA and you
    restored 
    >         the 
    >         >         database then 
    >         >         > > old 
    >         >         > > token will not work. 
    >         >         > > 
    >         >         > > The old tokens in the database will
    only work 
    >         with the 
    >         >         encryption 
    >         >         > > key /etc/privacyidea/enckey. This is
    used 
    >         >         > > 
    >         >         > > 1. to encrypt otp secrets, that are
    used to 
    >         calculate the 
    >         >         OTP values 
    >         >         > > 2. hash or encrypt OTP pins, which may
    lead to 
    >         "wrong 
    >         >         pin". 
    >         >         > > 3. and encrypt LDAP bindpw. 
    >         >         > > 
    >         >         > > Please reset the OTP PIN of a token
    and check 
    >         again. 
    >         >         > > Resyncronize the token, as the counter
    in the 
    >         token might 
    >         >         be much 
    >         >         > > bigger 
    >         >         > > than the counter in the database. 
    >         >         > > 
    >         >         > > Regarding the Client IP: 
    >         >         > > Were you using FreeRADIUS, too? 
    >         >         > > 
    >         >         > > Then the request would originate from 
    >         localhost. 
    >         >         > > 
    >         >         > > Kind regards 
    >         >         > > Cornelius 
    >         >         > > 
    >         >         > > 
    >         >         > > 
    >         >         > > 
    >         >         > > Tom Cole 
    >         >         > > July 15, 2015 at 13:04 
    >         >         > > Someone deleted my VM yesterday with
    my PI 
    >         server, so I 
    >         >         recreated it 
    >         >         > > and restored the DB.  Now I have 2
    "errors" 
    >         >         > > 1) Tokens already in DB fail with
    "wrong otp 
    >         pin" even 
    >         >         though no pin 
    >         >         > > was used 
    >         >         > > 2) Client IP is always 127.0.0.1 
    >         >         > > 
    >         >         > > Server info below: 
    >         >         > > 
    >         >         > > privacyIDEA configuration
    documentation 
    >         >         > >
    ======================================= 
    >         >         > > 
    >         >         > > * System:
    QTXSNPI01.atl.careerbuilder.com 
    >         >         > > * Date: 2015-07-15 13:03 
    >         >         > > 
    >         >         > > PI.cfg 
    >         >         > > ------ 
    >         >         > > 
    >         >         > > PI_HSM: **default** 
    >         >         > > 
    >         >         > > PI_LOGFILE: 
    >         **/var/log/privacyidea/privacyidea.log** 
    >         >         > > 
    >         >         > > PI_AUDIT_KEY_PUBLIC: 
    >         **/etc/privacyidea/public.pem** 
    >         >         > > 
    >         >         > > PI_PEPPER:
    **6bLB1JquhkQTby48RRnyStl7** 
    >         >         > > 
    >         >         > > PI_ENCFILE:
    **/etc/privacyidea/enckey** 
    >         >         > > 
    >         >         > > For security reason we do not display
    the SQL 
    >         URI, as it 
    >         >         may contain 
    >         >         > > the 
    >         >         > > database credentials. 
    >         >         > > 
    >         >         > > PI_AUDIT_MODULE: 
    >         >         **privacyidea.lib.auditmodules.sqlaudit** 
    >         >         > > 
    >         >         > > PI_LOGLEVEL: **20** 
    >         >         > > 
    >         >         > > PI_AUDIT_KEY_PRIVATE: 
    >         **/etc/privacyidea/private.pem** 
    >         >         > > 
    >         >         > > SUPERUSER_REALM: **['super']** 
    >         >         > > .. note:: The SUPERUSER_REALM is a
    list of 
    >         defined realms 
    >         >         where the 
    >         >         > > users 
    >         >         > >    will have administrative rights
    when logging 
    >         in to the 
    >         >         web UI. 
    >         >         > > 
    >         >         > > Local Admins 
    >         >         > > ------------ 
    >         >         > > In addition to the SUPERUSER_REALM
    there are 
    >         local 
    >         >         administrators 
    >         >         > > stored in 
    >         >         > > the database. The following
    administrators are 
    >         defined: 
    >         >         > > 
    >         >         > > * **admin** <ad...@localhost.com> 
    >         >         > > 
    >         >         > > System Base Configuration 
    >         >         > > ------------------------- 
    >         >         > > 
    >         >         > > __timestamp__: **2015-07-14
    15:37:35.912288** 
    >         >         > > 
    >         >         > > IncFailCountOnFalsePin: **True** 
    >         >         > > 
    >         >         > > Resolver Configuration 
    >         >         > > ---------------------- 
    >         >         > > The following resolvers are defined.
    Resolvers 
    >         are 
    >         >         connections to 
    >         >         > > user stores. 
    >         >         > > To learn more about resolvers read 
    >         [#resolvers]_. 
    >         >         > > 
    >         >         > > cbatl-ldap 
    >         >         > > ~~~~~~~~~~~~~~~~~~ 
    >         >         > > * Name of the resolver: cbatl-ldap 
    >         >         > > * Type of the resolver: ldapresolver 
    >         >         > > 
    >         >         > > Configuration 
    >         >         > > ............. 
    >         >         > > 
    >         >         > > BINDDN: **cbatl\paldap** 
    >         >         > > 
    >         >         > > AUTHTYPE: **NTLM** 
    >         >         > > 
    >         >         > > LDAPFILTER: **(&(sAMAccountName=% 
    >         >         s)(objectClass=person))** 
    >         >         > > 
    >         >         > > LDAPBASE: 
    >         **CN=Users,DC=atl,DC=careerbuilder,DC=com** 
    >         >         > > 
    >         >         > > LDAPURI: **ldap://10.240.70.9** 
    >         >         > > 
    >         >         > > LDAPSEARCHFILTER: 
    >         >
    **(sAMAccountName=*)(objectClass=person)** 
    >         >         > > 
    >         >         > > UIDTYPE: **DN** 
    >         >         > > 
    >         >         > > BINDPW: **Cb4netops!** 
    >         >         > > 
    >         >         > > USERINFO: **{ "username":
    "sAMAccountName", 
    >         "surname" : 
    >         >         "sn", 
    >         >         > > "givenname" : "givenName" }** 
    >         >         > > 
    >         >         > > TIMEOUT: **5** 
    >         >         > > 
    >         >         > > SIZELIMIT: **500** 
    >         >         > > 
    >         >         > > NOREFERRALS: **1** 
    >         >         > > 
    >         >         > > LOGINNAMEATTRIBUTE:
    **sAMAccountName** 
    >         >         > > 
    >         >         > > Realm Configuration 
    >         >         > > ------------------- 
    >         >         > > Several resolvers are grouped into
    realms. 
    >         >         > > To learn more about realms read
    [#realms]_. 
    >         >         > > The following realms have been defined
    from the 
    >         >         resolvers: 
    >         >         > > 
    >         >         > > cbatl 
    >         >         > > ~~~~~~~~~~~~~~~ 
    >         >         > > * Name of the realm: cbatl 
    >         >         > > 
    >         >         > > **This is the default realm!** 
    >         >         > > 
    >         >         > > Users in the default realm can
    authenticate 
    >         without 
    >         >         specifying the 
    >         >         > > realm. 
    >         >         > > Users not in the default realm always
    need to 
    >         specify the 
    >         >         realm. 
    >         >         > > 
    >         >         > > The following resolvers are configured
    in this 
    >         realm: 
    >         >         > > 
    >         >         > > * Name: cbatl-ldap 
    >         >         > >   Priority: None 
    >         >         > >   Type: ldapresolver 
    >         >         > > 
    >         >         > > Policy Configuration 
    >         >         > > -------------------- 
    >         >         > > Policies define the behaviour of
    privacyIDEA. 
    >         >         > > To learn more about policies read
    [#policies]_. 
    >         >         > > 
    >         >         > > The following policies are defined in
    your 
    >         system: 
    >         >         > > 
    >         >         > > Web_Timeout 
    >         >         > > ~~~~~~~~~~~~~~~~~ 
    >         >         > > 
    >         >         > > user: **[u'*']** 
    >         >         > > 
    >         >         > > resolver: **[]** 
    >         >         > > 
    >         >         > > active: **True** 
    >         >         > > 
    >         >         > > adminrealm: **[]** 
    >         >         > > 
    >         >         > > condition: **0** 
    >         >         > > 
    >         >         > > realm: **[]** 
    >         >         > > 
    >         >         > > client: **[]** 
    >         >         > > 
    >         >         > > time: **** 
    >         >         > > 
    >         >         > > action: **{u'logout_time': u'300'}** 
    >         >         > > 
    >         >         > > scope: **webui** 
    >         >         > > 
    >         >         > > Token_Defaults 
    >         >         > > ~~~~~~~~~~~~~~~~~ 
    >         >         > > 
    >         >         > > user: **[u'*']** 
    >         >         > > 
    >         >         > > resolver: **[]** 
    >         >         > > 
    >         >         > > active: **True** 
    >         >         > > 
    >         >         > > adminrealm: **[]** 
    >         >         > > 
    >         >         > > condition: **0** 
    >         >         > > 
    >         >         > > realm: **[u'cbatl']** 
    >         >         > > 
    >         >         > > client: **[]** 
    >         >         > > 
    >         >         > > time: **** 
    >         >         > > 
    >         >         > > action: **{u'max_token_per_user':
    u'1', 
    >         u'tokenlabel': 
    >         >         u'<r>\ 
    >         >         > > \<u>'}** 
    >         >         > > 
    >         >         > > scope: **enrollment** 
    >         >         > > 
    >         >         > > Self_Service 
    >         >         > > ~~~~~~~~~~~~~~~~~ 
    >         >         > > 
    >         >         > > user: **[u'*']** 
    >         >         > > 
    >         >         > > resolver: **[]** 
    >         >         > > 
    >         >         > > active: **True** 
    >         >         > > 
    >         >         > > adminrealm: **[]** 
    >         >         > > 
    >         >         > > condition: **0** 
    >         >         > > 
    >         >         > > realm: **[u'cbatl']** 
    >         >         > > 
    >         >         > > client: **[]** 
    >         >         > > 
    >         >         > > time: **** 
    >         >         > > 
    >         >         > > action: **{u'enrollTOTP': True,
    u'enable': 
    >         True, 
    >         >         u'resync': True, 
    >         >         > > u'delete': True}** 
    >         >         > > 
    >         >         > > scope: **user** 
    >         >         > > 
    >         >         > > Machine Configuration 
    >         >         > > --------------------- 
    >         >         > > 
    >         >         > > **TODO** 
    >         >         > > 
    >         >         > > Token Configuration 
    >         >         > > ------------------- 
    >         >         > > 
    >         >         > > **TODO** 
    >         >         > > 
    >         >         > > CA Configuration 
    >         >         > > ---------------- 
    >         >         > > 
    >         >         > > **TODO** 
    >         >         > > 
    >         >         > > .. [#resolvers] 
    >         >         > > 
    >         > 
    >
    http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm 
    >         >         > > .. [#realms] 
    >         >         > > 
    >         > 
    >
    http://privacyidea.readthedocs.org/en/latest/configuration/realms.html 
    >         >         > > .. [#policies] 
    >         >         > > 
    >         > 
    >
    http://privacyidea.readthedocs.org/en/latest/policies/index.h 
    >         >         > > 
    >         >         > 
    >         >         -- 
    >         >         Cornelius Kölbel 
    >         >         corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://www.netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         > -- 
    >         > You received this message because you are
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/9a6a18d2-048f-45ab-b2d8-611d9238a710%40googlegroups.com. 
    >         > For more options, visit
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/dc797822-5055-47e9-bb3d-f72362787693%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/20978ca1-0fe5-41fb-8ee4-bb4926f48c60%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Tom_Cole · July 15, 2015, 8:22pm

So my best option is to have everyone do a new token.On Wednesday, July 15, 2015 at 4:20:40 PM UTC-4, Cornelius Kölbel wrote:

When do you get the error?
Can you please look into the log file or send the logfile with the
entries leading to the database error?

The system is trying to write something into the info column.
This might be a result to a faulty decryption.
resulting an a non-ascii character.

Anyway - if you really installed PI anew and just used the old database
without the enckey, than the old OTP data would be lost.

Kind regards
Cornelius

Am Mittwoch, den 15.07.2015, 13:14 -0700 schrieb Tom Cole:

Ok - that didnt work, but now I get this error:
DataError: (DataError) (1406, “Data too long for column ‘info’ at row
1”) ‘INSERT INTO pidea_audit (date, signature, action, success,
serial, token_type, user, realm, administrator, action_detail, info,
privacyidea_server, client, loglevel, clearance_level) VALUES (%s, %s,
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %
s)’ (datetime.datetime(2015, 7, 15, 16, 13, 5, 474569), ‘’,
‘POST /validate/check’, 0, None, None, u’jomunoz.site’, u’cbatl’,
None, ‘’, u"‘ascii’ codec can’t decode byte 0xdb in position 0:
ordinal not in range(128)", ‘127.0.0.1’, ‘127.0.0.1’, None, None)
On Wednesday, July 15, 2015 at 3:48:52 PM UTC-4, Cornelius Kölbel wrote:
Hi Tom,
    you can either reset the PIN by setting an empty PIN or... 
    
    if you are not using PIN or password at all (only OTP value), 
    then you 
    can define a policy: 
    
    scope: authentication 
    action: otppin=none 

7.3. Authentication policies — privacyIDEA 3.8 documentation

    Then users will only authenticate with 123456. 
    
    Kind regards 
    Cornelius 
    
    
    Am Mittwoch, den 15.07.2015, 13:53 -0400 schrieb Tom Cole: 
    > Ok - since there are no OTP pins how do I reset them?  We 
    don't use 
    > pins. 
    > 
    > > Cornelius Kölbel 
    > > July 15, 2015 at 13:30 
    > > If you reinstalled privacyIDEA and you restored the 
    database then 
    > > old 
    > > token will not work. 
    > > 
    > > The old tokens in the database will only work with the 
    encryption 
    > > key /etc/privacyidea/enckey. This is used 
    > > 
    > > 1. to encrypt otp secrets, that are used to calculate the 
    OTP values 
    > > 2. hash or encrypt OTP pins, which may lead to "wrong 
    pin". 
    > > 3. and encrypt LDAP bindpw. 
    > > 
    > > Please reset the OTP PIN of a token and check again. 
    > > Resyncronize the token, as the counter in the token might 
    be much 
    > > bigger 
    > > than the counter in the database. 
    > > 
    > > Regarding the Client IP: 
    > > Were you using FreeRADIUS, too? 
    > > 
    > > Then the request would originate from localhost. 
    > > 
    > > Kind regards 
    > > Cornelius 
    > > 
    > > 
    > > 
    > > 
    > > Tom Cole 
    > > July 15, 2015 at 13:04 
    > > Someone deleted my VM yesterday with my PI server, so I 
    recreated it 
    > > and restored the DB.  Now I have 2 "errors" 
    > > 1) Tokens already in DB fail with "wrong otp pin" even 
    though no pin 
    > > was used 
    > > 2) Client IP is always 127.0.0.1 
    > > 
    > > Server info below: 
    > > 
    > > privacyIDEA configuration documentation 
    > > ======================================= 
    > > 
    > > * System: QTXSNPI01.atl.careerbuilder.com 
    > > * Date: 2015-07-15 13:03 
    > > 
    > > PI.cfg 
    > > ------ 
    > > 
    > > PI_HSM: **default** 
    > > 
    > > PI_LOGFILE: **/var/log/privacyidea/privacyidea.log** 
    > > 
    > > PI_AUDIT_KEY_PUBLIC: **/etc/privacyidea/public.pem** 
    > > 
    > > PI_PEPPER: **6bLB1JquhkQTby48RRnyStl7** 
    > > 
    > > PI_ENCFILE: **/etc/privacyidea/enckey** 
    > > 
    > > For security reason we do not display the SQL URI, as it 
    may contain 
    > > the 
    > > database credentials. 
    > > 
    > > PI_AUDIT_MODULE: 
    **privacyidea.lib.auditmodules.sqlaudit** 
    > > 
    > > PI_LOGLEVEL: **20** 
    > > 
    > > PI_AUDIT_KEY_PRIVATE: **/etc/privacyidea/private.pem** 
    > > 
    > > SUPERUSER_REALM: **['super']** 
    > > .. note:: The SUPERUSER_REALM is a list of defined realms 
    where the 
    > > users 
    > >    will have administrative rights when logging in to the 
    web UI. 
    > > 
    > > Local Admins 
    > > ------------ 
    > > In addition to the SUPERUSER_REALM there are local 
    administrators 
    > > stored in 
    > > the database. The following administrators are defined: 
    > > 
    > > * **admin** <ad...@localhost.com> 
    > > 
    > > System Base Configuration 
    > > ------------------------- 
    > > 
    > > __timestamp__: **2015-07-14 15:37:35.912288** 
    > > 
    > > IncFailCountOnFalsePin: **True** 
    > > 
    > > Resolver Configuration 
    > > ---------------------- 
    > > The following resolvers are defined. Resolvers are 
    connections to 
    > > user stores. 
    > > To learn more about resolvers read [#resolvers]_. 
    > > 
    > > cbatl-ldap 
    > > ~~~~~~~~~~~~~~~~~~ 
    > > * Name of the resolver: cbatl-ldap 
    > > * Type of the resolver: ldapresolver 
    > > 
    > > Configuration 
    > > ............. 
    > > 
    > > BINDDN: **cbatl\paldap** 
    > > 
    > > AUTHTYPE: **NTLM** 
    > > 
    > > LDAPFILTER: **(&(sAMAccountName=% 
    s)(objectClass=person))** 
    > > 
    > > LDAPBASE: **CN=Users,DC=atl,DC=careerbuilder,DC=com** 
    > > 
    > > LDAPURI: **ldap://10.240.70.9** 
    > > 
    > > LDAPSEARCHFILTER: 
    **(sAMAccountName=*)(objectClass=person)** 
    > > 
    > > UIDTYPE: **DN** 
    > > 
    > > BINDPW: **Cb4netops!** 
    > > 
    > > USERINFO: **{ "username": "sAMAccountName", "surname" : 
    "sn", 
    > > "givenname" : "givenName" }** 
    > > 
    > > TIMEOUT: **5** 
    > > 
    > > SIZELIMIT: **500** 
    > > 
    > > NOREFERRALS: **1** 
    > > 
    > > LOGINNAMEATTRIBUTE: **sAMAccountName** 
    > > 
    > > Realm Configuration 
    > > ------------------- 
    > > Several resolvers are grouped into realms. 
    > > To learn more about realms read [#realms]_. 
    > > The following realms have been defined from the 
    resolvers: 
    > > 
    > > cbatl 
    > > ~~~~~~~~~~~~~~~ 
    > > * Name of the realm: cbatl 
    > > 
    > > **This is the default realm!** 
    > > 
    > > Users in the default realm can authenticate without 
    specifying the 
    > > realm. 
    > > Users not in the default realm always need to specify the 
    realm. 
    > > 
    > > The following resolvers are configured in this realm: 
    > > 
    > > * Name: cbatl-ldap 
    > >   Priority: None 
    > >   Type: ldapresolver 
    > > 
    > > Policy Configuration 
    > > -------------------- 
    > > Policies define the behaviour of privacyIDEA. 
    > > To learn more about policies read [#policies]_. 
    > > 
    > > The following policies are defined in your system: 
    > > 
    > > Web_Timeout 
    > > ~~~~~~~~~~~~~~~~~ 
    > > 
    > > user: **[u'*']** 
    > > 
    > > resolver: **[]** 
    > > 
    > > active: **True** 
    > > 
    > > adminrealm: **[]** 
    > > 
    > > condition: **0** 
    > > 
    > > realm: **[]** 
    > > 
    > > client: **[]** 
    > > 
    > > time: **** 
    > > 
    > > action: **{u'logout_time': u'300'}** 
    > > 
    > > scope: **webui** 
    > > 
    > > Token_Defaults 
    > > ~~~~~~~~~~~~~~~~~ 
    > > 
    > > user: **[u'*']** 
    > > 
    > > resolver: **[]** 
    > > 
    > > active: **True** 
    > > 
    > > adminrealm: **[]** 
    > > 
    > > condition: **0** 
    > > 
    > > realm: **[u'cbatl']** 
    > > 
    > > client: **[]** 
    > > 
    > > time: **** 
    > > 
    > > action: **{u'max_token_per_user': u'1', u'tokenlabel': 
    u'<r>\ 
    > > \<u>'}** 
    > > 
    > > scope: **enrollment** 
    > > 
    > > Self_Service 
    > > ~~~~~~~~~~~~~~~~~ 
    > > 
    > > user: **[u'*']** 
    > > 
    > > resolver: **[]** 
    > > 
    > > active: **True** 
    > > 
    > > adminrealm: **[]** 
    > > 
    > > condition: **0** 
    > > 
    > > realm: **[u'cbatl']** 
    > > 
    > > client: **[]** 
    > > 
    > > time: **** 
    > > 
    > > action: **{u'enrollTOTP': True, u'enable': True, 
    u'resync': True, 
    > > u'delete': True}** 
    > > 
    > > scope: **user** 
    > > 
    > > Machine Configuration 
    > > --------------------- 
    > > 
    > > **TODO** 
    > > 
    > > Token Configuration 
    > > ------------------- 
    > > 
    > > **TODO** 
    > > 
    > > CA Configuration 
    > > ---------------- 
    > > 
    > > **TODO** 
    > > 
    > > .. [#resolvers] 
    > >

http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm

    > > .. [#realms] 
    > >

5.2. Realms — privacyIDEA 3.8 documentation

> > .. [#policies] 
 > > 
 http://privacyidea.readthedocs.org/en/latest/policies/index.h 
 > > 
 > 
 -- 
 Cornelius Kölbel 
 corneliu...@netknights.it 
 +49 151 2960 1417 
 
 NetKnights GmbH 
 http://www.netknights.it 
 Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
 Tel: +49 561 3166797, Fax: +49 561 3166798 
 
 Amtsgericht Kassel, HRB 16405 
 Geschäftsführer: Cornelius Kölbel 
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/9a6a18d2-048f-45ab-b2d8-611d9238a710%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Tom_Cole · July 15, 2015, 5:37pm

well crap - teaches me to not pay attention - thanks for the heads up.
I will get the password changed. I will test the other options and see
what happens.

Thanks> Cornelius Kölbel mailto:cornelius.koelbel@netknights.it

July 15, 2015 at 13:30
If you reinstalled privacyIDEA and you restored the database then old
token will not work.

The old tokens in the database will only work with the encryption
key /etc/privacyidea/enckey. This is used

to encrypt otp secrets, that are used to calculate the OTP values

hash or encrypt OTP pins, which may lead to “wrong pin”.

and encrypt LDAP bindpw.

Please reset the OTP PIN of a token and check again.
Resyncronize the token, as the counter in the token might be much bigger
than the counter in the database.

Regarding the Client IP:
Were you using FreeRADIUS, too?

Then the request would originate from localhost.

Kind regards
Cornelius

Tom Cole mailto:Tom_Cole
July 15, 2015 at 13:04
Someone deleted my VM yesterday with my PI server, so I recreated it
and restored the DB. Now I have 2 “errors”

Tokens already in DB fail with “wrong otp pin” even though no pin
was used

Client IP is always 127.0.0.1

Server info below:

privacyIDEA configuration documentation

System: QTXSNPI01.atl.careerbuilder.com

Date: 2015-07-15 13:03

PI.cfg

PI_HSM: default

PI_LOGFILE: /var/log/privacyidea/privacyidea.log

PI_AUDIT_KEY_PUBLIC: /etc/privacyidea/public.pem

PI_PEPPER: 6bLB1JquhkQTby48RRnyStl7

PI_ENCFILE: /etc/privacyidea/enckey

For security reason we do not display the SQL URI, as it may contain the
database credentials.

PI_AUDIT_MODULE: privacyidea.lib.auditmodules.sqlaudit

PI_LOGLEVEL: 20

PI_AUDIT_KEY_PRIVATE: /etc/privacyidea/private.pem

SUPERUSER_REALM: [‘super’]
… note:: The SUPERUSER_REALM is a list of defined realms where the users
will have administrative rights when logging in to the web UI.

Local Admins

In addition to the SUPERUSER_REALM there are local administrators
stored in
the database. The following administrators are defined:

admin admin@localhost.com

System Base Configuration

timestamp: 2015-07-14 15:37:35.912288

IncFailCountOnFalsePin: True

Resolver Configuration

The following resolvers are defined. Resolvers are connections to user
stores.
To learn more about resolvers read [#resolvers]_.

cbatl-ldap
* Name of the resolver: cbatl-ldap
* Type of the resolver: ldapresolver

Configuration
.............

BINDDN: **cbatl\paldap**

AUTHTYPE: **NTLM**

LDAPFILTER: **(&(sAMAccountName=%s)(objectClass=person))**

LDAPBASE: **CN=Users,DC=atl,DC=careerbuilder,DC=com**

LDAPURI: **ldap://10.240.70.9**

LDAPSEARCHFILTER: **(sAMAccountName=*)(objectClass=person)**

UIDTYPE: **DN**

BINDPW: **Cb4netops!**

USERINFO: **{ "username": "sAMAccountName", "surname" : "sn", 
"givenname" : "givenName" }**

TIMEOUT: **5**

SIZELIMIT: **500**

NOREFERRALS: **1**

LOGINNAMEATTRIBUTE: **sAMAccountName**

Realm Configuration
-------------------
Several resolvers are grouped into realms.
To learn more about realms read [#realms]_.
The following realms have been defined from the resolvers:

cbatl
~~~~~~~~~~~~~~~
* Name of the realm: cbatl

**This is the default realm!**

Users in the default realm can authenticate without specifying the realm.
Users not in the default realm always need to specify the realm.

The following resolvers are configured in this realm:

* Name: cbatl-ldap
 Priority: None
 Type: ldapresolver

Policy Configuration
--------------------
Policies define the behaviour of privacyIDEA.
To learn more about policies read [#policies]_.

The following policies are defined in your system:

Web_Timeout
~~~~~~~~~~~~~~~~~

user: **[u'*']**

resolver: **[]**

active: **True**

adminrealm: **[]**

condition: **0**

realm: **[]**

client: **[]**

time: ****

action: **{u'logout_time': u'300'}**

scope: **webui**

Token_Defaults
~~~~~~~~~~~~~~~~~

user: **[u'*']**

resolver: **[]**

active: **True**

adminrealm: **[]**

condition: **0**

realm: **[u'cbatl']**

client: **[]**

time: ****

action: **{u'max_token_per_user': u'1', u'tokenlabel': u'<r>\\'}**

scope: **enrollment**

Self_Service
~~~~~~~~~~~~~~~~~

user: **[u'*']**

resolver: **[]**

active: **True**

adminrealm: **[]**

condition: **0**

realm: **[u'cbatl']**

client: **[]**

time: ****

action: **{u'enrollTOTP': True, u'enable': True, u'resync': True, 
u'delete': True}**

scope: **user**

Machine Configuration
---------------------

**TODO**

Token Configuration
-------------------

**TODO**

CA Configuration
----------------

**TODO**

.. [#resolvers] 
http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm
.. [#realms] 
http://privacyidea.readthedocs.org/en/latest/configuration/realms.html
.. [#policies] 
http://privacyidea.readthedocs.org/en/latest/policies/index.h
-- 
You received this message because you are subscribed to a topic in the 
Google Groups "privacyidea" group.
To unsubscribe from this topic, visit 
https://groups.google.com/d/topic/privacyidea/w5CFAn3FnIY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to 
privacyidea+unsubscribe@googlegroups.com 
<mailto:privacyidea+unsubscribe@googlegroups.com>.
To post to this group, send email to privacyidea@googlegroups.com 
<mailto:privacyidea@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/privacyidea/3fd41270-0277-413a-a4e0-cf07f2d3a34a%40googlegroups.com 
<https://groups.google.com/d/msgid/privacyidea/3fd41270-0277-413a-a4e0-cf07f2d3a34a%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

cornelinux · July 15, 2015, 8:20pm

When do you get the error?
Can you please look into the log file or send the logfile with the
entries leading to the database error?

The system is trying to write something into the info column.
This might be a result to a faulty decryption.
resulting an a non-ascii character.

Anyway - if you really installed PI anew and just used the old database
without the enckey, than the old OTP data would be lost.

Kind regards
CorneliusAm Mittwoch, den 15.07.2015, 13:14 -0700 schrieb Tom Cole:

Ok - that didnt work, but now I get this error:
DataError: (DataError) (1406, “Data too long for column ‘info’ at row
1”) ‘INSERT INTO pidea_audit (date, signature, action, success,
serial, token_type, user, realm, administrator, action_detail, info,
privacyidea_server, client, loglevel, clearance_level) VALUES (%s, %s,
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %
s)’ (datetime.datetime(2015, 7, 15, 16, 13, 5, 474569), ‘’,
‘POST /validate/check’, 0, None, None, u’jomunoz.site’, u’cbatl’,
None, ‘’, u"‘ascii’ codec can’t decode byte 0xdb in position 0:
ordinal not in range(128)", ‘127.0.0.1’, ‘127.0.0.1’, None, None)
On Wednesday, July 15, 2015 at 3:48:52 PM UTC-4, Cornelius Kölbel wrote:
Hi Tom,

    you can either reset the PIN by setting an empty PIN or... 
    
    if you are not using PIN or password at all (only OTP value),
    then you 
    can define a policy: 
    
    scope: authentication 
    action: otppin=none 
    
    http://privacyidea.readthedocs.org/en/latest/policies/authentication.html#otppin 
    
    Then users will only authenticate with 123456. 
    
    Kind regards 
    Cornelius 
    
    
    Am Mittwoch, den 15.07.2015, 13:53 -0400 schrieb Tom Cole: 
    > Ok - since there are no OTP pins how do I reset them?  We
    don't use 
    > pins. 
    > 
    > > Cornelius Kölbel 
    > > July 15, 2015 at 13:30 
    > > If you reinstalled privacyIDEA and you restored the
    database then 
    > > old 
    > > token will not work. 
    > > 
    > > The old tokens in the database will only work with the
    encryption 
    > > key /etc/privacyidea/enckey. This is used 
    > > 
    > > 1. to encrypt otp secrets, that are used to calculate the
    OTP values 
    > > 2. hash or encrypt OTP pins, which may lead to "wrong
    pin". 
    > > 3. and encrypt LDAP bindpw. 
    > > 
    > > Please reset the OTP PIN of a token and check again. 
    > > Resyncronize the token, as the counter in the token might
    be much 
    > > bigger 
    > > than the counter in the database. 
    > > 
    > > Regarding the Client IP: 
    > > Were you using FreeRADIUS, too? 
    > > 
    > > Then the request would originate from localhost. 
    > > 
    > > Kind regards 
    > > Cornelius 
    > > 
    > > 
    > > 
    > > 
    > > Tom Cole 
    > > July 15, 2015 at 13:04 
    > > Someone deleted my VM yesterday with my PI server, so I
    recreated it 
    > > and restored the DB.  Now I have 2 "errors" 
    > > 1) Tokens already in DB fail with "wrong otp pin" even
    though no pin 
    > > was used 
    > > 2) Client IP is always 127.0.0.1 
    > > 
    > > Server info below: 
    > > 
    > > privacyIDEA configuration documentation 
    > > ======================================= 
    > > 
    > > * System: QTXSNPI01.atl.careerbuilder.com 
    > > * Date: 2015-07-15 13:03 
    > > 
    > > PI.cfg 
    > > ------ 
    > > 
    > > PI_HSM: **default** 
    > > 
    > > PI_LOGFILE: **/var/log/privacyidea/privacyidea.log** 
    > > 
    > > PI_AUDIT_KEY_PUBLIC: **/etc/privacyidea/public.pem** 
    > > 
    > > PI_PEPPER: **6bLB1JquhkQTby48RRnyStl7** 
    > > 
    > > PI_ENCFILE: **/etc/privacyidea/enckey** 
    > > 
    > > For security reason we do not display the SQL URI, as it
    may contain 
    > > the 
    > > database credentials. 
    > > 
    > > PI_AUDIT_MODULE:
    **privacyidea.lib.auditmodules.sqlaudit** 
    > > 
    > > PI_LOGLEVEL: **20** 
    > > 
    > > PI_AUDIT_KEY_PRIVATE: **/etc/privacyidea/private.pem** 
    > > 
    > > SUPERUSER_REALM: **['super']** 
    > > .. note:: The SUPERUSER_REALM is a list of defined realms
    where the 
    > > users 
    > >    will have administrative rights when logging in to the
    web UI. 
    > > 
    > > Local Admins 
    > > ------------ 
    > > In addition to the SUPERUSER_REALM there are local
    administrators 
    > > stored in 
    > > the database. The following administrators are defined: 
    > > 
    > > * **admin** <ad...@localhost.com> 
    > > 
    > > System Base Configuration 
    > > ------------------------- 
    > > 
    > > __timestamp__: **2015-07-14 15:37:35.912288** 
    > > 
    > > IncFailCountOnFalsePin: **True** 
    > > 
    > > Resolver Configuration 
    > > ---------------------- 
    > > The following resolvers are defined. Resolvers are
    connections to 
    > > user stores. 
    > > To learn more about resolvers read [#resolvers]_. 
    > > 
    > > cbatl-ldap 
    > > ~~~~~~~~~~~~~~~~~~ 
    > > * Name of the resolver: cbatl-ldap 
    > > * Type of the resolver: ldapresolver 
    > > 
    > > Configuration 
    > > ............. 
    > > 
    > > BINDDN: **cbatl\paldap** 
    > > 
    > > AUTHTYPE: **NTLM** 
    > > 
    > > LDAPFILTER: **(&(sAMAccountName=%
    s)(objectClass=person))** 
    > > 
    > > LDAPBASE: **CN=Users,DC=atl,DC=careerbuilder,DC=com** 
    > > 
    > > LDAPURI: **ldap://10.240.70.9** 
    > > 
    > > LDAPSEARCHFILTER:
    **(sAMAccountName=*)(objectClass=person)** 
    > > 
    > > UIDTYPE: **DN** 
    > > 
    > > BINDPW: **Cb4netops!** 
    > > 
    > > USERINFO: **{ "username": "sAMAccountName", "surname" :
    "sn", 
    > > "givenname" : "givenName" }** 
    > > 
    > > TIMEOUT: **5** 
    > > 
    > > SIZELIMIT: **500** 
    > > 
    > > NOREFERRALS: **1** 
    > > 
    > > LOGINNAMEATTRIBUTE: **sAMAccountName** 
    > > 
    > > Realm Configuration 
    > > ------------------- 
    > > Several resolvers are grouped into realms. 
    > > To learn more about realms read [#realms]_. 
    > > The following realms have been defined from the
    resolvers: 
    > > 
    > > cbatl 
    > > ~~~~~~~~~~~~~~~ 
    > > * Name of the realm: cbatl 
    > > 
    > > **This is the default realm!** 
    > > 
    > > Users in the default realm can authenticate without
    specifying the 
    > > realm. 
    > > Users not in the default realm always need to specify the
    realm. 
    > > 
    > > The following resolvers are configured in this realm: 
    > > 
    > > * Name: cbatl-ldap 
    > >   Priority: None 
    > >   Type: ldapresolver 
    > > 
    > > Policy Configuration 
    > > -------------------- 
    > > Policies define the behaviour of privacyIDEA. 
    > > To learn more about policies read [#policies]_. 
    > > 
    > > The following policies are defined in your system: 
    > > 
    > > Web_Timeout 
    > > ~~~~~~~~~~~~~~~~~ 
    > > 
    > > user: **[u'*']** 
    > > 
    > > resolver: **[]** 
    > > 
    > > active: **True** 
    > > 
    > > adminrealm: **[]** 
    > > 
    > > condition: **0** 
    > > 
    > > realm: **[]** 
    > > 
    > > client: **[]** 
    > > 
    > > time: **** 
    > > 
    > > action: **{u'logout_time': u'300'}** 
    > > 
    > > scope: **webui** 
    > > 
    > > Token_Defaults 
    > > ~~~~~~~~~~~~~~~~~ 
    > > 
    > > user: **[u'*']** 
    > > 
    > > resolver: **[]** 
    > > 
    > > active: **True** 
    > > 
    > > adminrealm: **[]** 
    > > 
    > > condition: **0** 
    > > 
    > > realm: **[u'cbatl']** 
    > > 
    > > client: **[]** 
    > > 
    > > time: **** 
    > > 
    > > action: **{u'max_token_per_user': u'1', u'tokenlabel':
    u'<r>\ 
    > > \<u>'}** 
    > > 
    > > scope: **enrollment** 
    > > 
    > > Self_Service 
    > > ~~~~~~~~~~~~~~~~~ 
    > > 
    > > user: **[u'*']** 
    > > 
    > > resolver: **[]** 
    > > 
    > > active: **True** 
    > > 
    > > adminrealm: **[]** 
    > > 
    > > condition: **0** 
    > > 
    > > realm: **[u'cbatl']** 
    > > 
    > > client: **[]** 
    > > 
    > > time: **** 
    > > 
    > > action: **{u'enrollTOTP': True, u'enable': True,
    u'resync': True, 
    > > u'delete': True}** 
    > > 
    > > scope: **user** 
    > > 
    > > Machine Configuration 
    > > --------------------- 
    > > 
    > > **TODO** 
    > > 
    > > Token Configuration 
    > > ------------------- 
    > > 
    > > **TODO** 
    > > 
    > > CA Configuration 
    > > ---------------- 
    > > 
    > > **TODO** 
    > > 
    > > .. [#resolvers] 
    > >
    http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm 
    > > .. [#realms] 
    > >
    http://privacyidea.readthedocs.org/en/latest/configuration/realms.html 
    > > .. [#policies] 
    > >
    http://privacyidea.readthedocs.org/en/latest/policies/index.h 
    > > 
    > 
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/9a6a18d2-048f-45ab-b2d8-611d9238a710%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Tom_Cole · July 15, 2015, 8:26pm

Here is the full error:

[2015-07-15
16:16:35,734][23371][140372868679424][INFO][privacyidea.lib.auditmodules.sqlaudit:130]
using the connect string mysql://pi:hGaKJN_1ZgPJ@localhost/pi
[2015-07-15
16:16:35,756][23371][140372868679424][INFO][privacyidea.lib.user:186] user
u’jomunoz.site’ found in resolver u’cbatl-ldap’
[2015-07-15
16:16:35,756][23371][140372868679424][INFO][privacyidea.lib.user:187]
userid resolved to ‘CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com’
[2015-07-15
16:16:35,772][23371][140372868679424][INFO][privacyidea.lib.user:186] user
u’jomunoz.site’ found in resolver u’cbatl-ldap’
[2015-07-15
16:16:35,772][23371][140372868679424][INFO][privacyidea.lib.user:187]
userid resolved to ‘CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com’
[2015-07-15
16:16:35,788][23371][140372868679424][INFO][privacyidea.lib.user:186] user
u’jomunoz.site’ found in resolver u’cbatl-ldap’
[2015-07-15
16:16:35,788][23371][140372868679424][INFO][privacyidea.lib.user:187]
userid resolved to ‘CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com’
[2015-07-15
16:16:35,804][23371][140372868679424][INFO][privacyidea.lib.user:186] user
u’jomunoz.site’ found in resolver u’cbatl-ldap’
[2015-07-15
16:16:35,804][23371][140372868679424][INFO][privacyidea.lib.user:187]
userid resolved to ‘CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com’
[2015-07-15
16:16:35,883][23371][140372868679424][ERROR][privacyidea.app:1423]
Exception on /validate/check [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”, line
85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”, line
85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”, line
85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”, line
85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”, line
85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”, line
85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 87, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 87, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py”,
line 67, in check_user_or_serial_in_request_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 87, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/validate.py”, line
179, in check
result, details = check_user_pass(user, password, options=options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 77, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 192, in auth_user_passthru
return wrapped_function(user_object, passw, options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 77, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 117, in auth_user_has_no_token
return wrapped_function(user_object, passw, options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 77, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 152, in auth_user_does_not_exist
return wrapped_function(user_object, passw, options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line 125,
in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”, line
1690, in check_user_pass
options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line 125,
in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”, line
1747, in check_token_list
options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/tokenclass.py”,
line 357, in authenticate
otp_counter = self.check_otp(otpval, options=options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/totptoken.py”,
line 318, in check_otp
symetric=True)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line 125,
in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py”,
line 129, in checkOtp
otpval = self.generate(c)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py”,
line 104, in generate
hmac = self.hmac(counter=counter, key=key)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py”,
line 73, in hmac
dig = str(self.secretObj.hmac_digest(data_input, self.hashfunc))
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py”, line
112, in hmac_digest
self.setupKey()
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py”, line
144, in setupKey
akey = decrypt(self.val, self.iv)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line 125,
in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py”, line
341, in decrypt
ret = hsm.decrypt(input, iv, id)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/security/default.py”,
line 388, in decrypt
eof = output.rfind(u"\x01\x02")
UnicodeDecodeError: ‘ascii’ codec can’t decode byte 0xdb in position 0:
ordinal not in range(128)
[2015-07-15
16:16:35,884][23371][140372868679424][ERROR][privacyidea.lib.auditmodules.sqlaudit:239]
exception DataError(‘(DataError) (1406, “Data too long for column 'info'
at row 1”)’,)
[2015-07-15
16:16:35,885][23371][140372868679424][ERROR][privacyidea.lib.auditmodules.sqlaudit:240]
DATA: {‘info’: u"‘ascii’ codec can’t decode byte 0xdb in position 0:
ordinal not in range(128)“, ‘realm’: u’cbatl’, ‘success’: False,
‘privacyidea_server’: ‘127.0.0.1’, ‘client_user_agent’: None, ‘client’:
‘127.0.0.1’, ‘user’: u’jomunoz.site’, ‘action_detail’: ‘’, ‘action’: ‘POST
/validate/check’}
[2015-07-15
16:16:35,885][23371][140372868679424][ERROR][privacyidea.lib.auditmodules.sqlaudit:241]
Traceback (most recent call last):
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/auditmodules/sqlaudit.py”,
line 231, in finalize_log
self.session.commit()
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”, line
721, in commit
self.transaction.commit()
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”, line
354, in commit
self._prepare_impl()
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”, line
334, in _prepare_impl
self.session.flush()
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”, line
1818, in flush
self._flush(objects)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”, line
1936, in _flush
transaction.rollback(_capture_exception=True)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/util/langhelpers.py”,
line 58, in exit
compat.reraise(exc_type, exc_value, exc_tb)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py”, line
1900, in _flush
flush_context.execute()
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/unitofwork.py”,
line 372, in execute
rec.execute(self)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/unitofwork.py”,
line 525, in execute
uow
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py”,
line 64, in save_obj
table, insert)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py”,
line 569, in _emit_insert_statements
execute(statement, params)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py”, line
662, in execute
params)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py”, line
761, in _execute_clauseelement
compiled_sql, distilled_params
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py”, line
874, in _execute_context
context)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py”, line
1024, in _handle_dbapi_exception
exc_info
File “/usr/lib/python2.7/dist-packages/sqlalchemy/util/compat.py”, line
196, in raise_from_cause
reraise(type(exception), exception, tb=exc_tb)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py”, line
867, in _execute_context
context)
File “/usr/lib/python2.7/dist-packages/sqlalchemy/engine/default.py”,
line 324, in do_execute
cursor.execute(statement, parameters)
File “/usr/lib/python2.7/dist-packages/MySQLdb/cursors.py”, line 174, in
execute
self.errorhandler(self, exc, value)
File “/usr/lib/python2.7/dist-packages/MySQLdb/connections.py”, line 36,
in defaulterrorhandler
raise errorclass, errorvalue
DataError: (DataError) (1406, “Data too long for column ‘info’ at row 1”)
‘INSERT INTO pidea_audit (date, signature, action, success, serial,
token_type, user, realm, administrator, action_detail, info,
privacyidea_server, client, loglevel, clearance_level) VALUES (%s, %s, %s,
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)’ (datetime.datetime(2015,
7, 15, 16, 16, 35, 883625), ‘’, ‘POST /validate/check’, 0, None, None,
u’jomunoz.site’, u’cbatl’, None, ‘’, u”‘ascii’ codec can’t decode byte 0xdb
in position 0: ordinal not in range(128)", ‘127.0.0.1’, ‘127.0.0.1’, None,
None)On Wednesday, July 15, 2015 at 4:22:35 PM UTC-4, Tom Cole wrote:

So my best option is to have everyone do a new token.

On Wednesday, July 15, 2015 at 4:20:40 PM UTC-4, Cornelius Kölbel wrote:

When do you get the error?
Can you please look into the log file or send the logfile with the
entries leading to the database error?

The system is trying to write something into the info column.
This might be a result to a faulty decryption.
resulting an a non-ascii character.

Anyway - if you really installed PI anew and just used the old database
without the enckey, than the old OTP data would be lost.

Kind regards
Cornelius

Am Mittwoch, den 15.07.2015, 13:14 -0700 schrieb Tom Cole:

Ok - that didnt work, but now I get this error:
DataError: (DataError) (1406, “Data too long for column ‘info’ at row
1”) ‘INSERT INTO pidea_audit (date, signature, action, success,
serial, token_type, user, realm, administrator, action_detail, info,
privacyidea_server, client, loglevel, clearance_level) VALUES (%s, %s,
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %
s)’ (datetime.datetime(2015, 7, 15, 16, 13, 5, 474569), ‘’,
‘POST /validate/check’, 0, None, None, u’jomunoz.site’, u’cbatl’,
None, ‘’, u"‘ascii’ codec can’t decode byte 0xdb in position 0:
ordinal not in range(128)", ‘127.0.0.1’, ‘127.0.0.1’, None, None)
On Wednesday, July 15, 2015 at 3:48:52 PM UTC-4, Cornelius Kölbel wrote:
Hi Tom,
    you can either reset the PIN by setting an empty PIN or... 
    
    if you are not using PIN or password at all (only OTP value), 
    then you 
    can define a policy: 
    
    scope: authentication 
    action: otppin=none 

7.3. Authentication policies — privacyIDEA 3.8 documentation

    Then users will only authenticate with 123456. 
    
    Kind regards 
    Cornelius 
    
    
    Am Mittwoch, den 15.07.2015, 13:53 -0400 schrieb Tom Cole: 
    > Ok - since there are no OTP pins how do I reset them?  We 
    don't use 
    > pins. 
    > 
    > > Cornelius Kölbel 
    > > July 15, 2015 at 13:30 
    > > If you reinstalled privacyIDEA and you restored the 
    database then 
    > > old 
    > > token will not work. 
    > > 
    > > The old tokens in the database will only work with the 
    encryption 
    > > key /etc/privacyidea/enckey. This is used 
    > > 
    > > 1. to encrypt otp secrets, that are used to calculate the 
    OTP values 
    > > 2. hash or encrypt OTP pins, which may lead to "wrong 
    pin". 
    > > 3. and encrypt LDAP bindpw. 
    > > 
    > > Please reset the OTP PIN of a token and check again. 
    > > Resyncronize the token, as the counter in the token might 
    be much 
    > > bigger 
    > > than the counter in the database. 
    > > 
    > > Regarding the Client IP: 
    > > Were you using FreeRADIUS, too? 
    > > 
    > > Then the request would originate from localhost. 
    > > 
    > > Kind regards 
    > > Cornelius 
    > > 
    > > 
    > > 
    > > 
    > > Tom Cole 
    > > July 15, 2015 at 13:04 
    > > Someone deleted my VM yesterday with my PI server, so I 
    recreated it 
    > > and restored the DB.  Now I have 2 "errors" 
    > > 1) Tokens already in DB fail with "wrong otp pin" even 
    though no pin 
    > > was used 
    > > 2) Client IP is always 127.0.0.1 
    > > 
    > > Server info below: 
    > > 
    > > privacyIDEA configuration documentation 
    > > ======================================= 
    > > 
    > > * System: QTXSNPI01.atl.careerbuilder.com 
    > > * Date: 2015-07-15 13:03 
    > > 
    > > PI.cfg 
    > > ------ 
    > > 
    > > PI_HSM: **default** 
    > > 
    > > PI_LOGFILE: **/var/log/privacyidea/privacyidea.log** 
    > > 
    > > PI_AUDIT_KEY_PUBLIC: **/etc/privacyidea/public.pem** 
    > > 
    > > PI_PEPPER: **6bLB1JquhkQTby48RRnyStl7** 
    > > 
    > > PI_ENCFILE: **/etc/privacyidea/enckey** 
    > > 
    > > For security reason we do not display the SQL URI, as it 
    may contain 
    > > the 
    > > database credentials. 
    > > 
    > > PI_AUDIT_MODULE: 
    **privacyidea.lib.auditmodules.sqlaudit** 
    > > 
    > > PI_LOGLEVEL: **20** 
    > > 
    > > PI_AUDIT_KEY_PRIVATE: **/etc/privacyidea/private.pem** 
    > > 
    > > SUPERUSER_REALM: **['super']** 
    > > .. note:: The SUPERUSER_REALM is a list of defined realms 
    where the 
    > > users 
    > >    will have administrative rights when logging in to the 
    web UI. 
    > > 
    > > Local Admins 
    > > ------------ 
    > > In addition to the SUPERUSER_REALM there are local 
    administrators 
    > > stored in 
    > > the database. The following administrators are defined: 
    > > 
    > > * **admin** <ad...@localhost.com> 
    > > 
    > > System Base Configuration 
    > > ------------------------- 
    > > 
    > > __timestamp__: **2015-07-14 15:37:35.912288** 
    > > 
    > > IncFailCountOnFalsePin: **True** 
    > > 
    > > Resolver Configuration 
    > > ---------------------- 
    > > The following resolvers are defined. Resolvers are 
    connections to 
    > > user stores. 
    > > To learn more about resolvers read [#resolvers]_. 
    > > 
    > > cbatl-ldap 
    > > ~~~~~~~~~~~~~~~~~~ 
    > > * Name of the resolver: cbatl-ldap 
    > > * Type of the resolver: ldapresolver 
    > > 
    > > Configuration 
    > > ............. 
    > > 
    > > BINDDN: **cbatl\paldap** 
    > > 
    > > AUTHTYPE: **NTLM** 
    > > 
    > > LDAPFILTER: **(&(sAMAccountName=% 
    s)(objectClass=person))** 
    > > 
    > > LDAPBASE: **CN=Users,DC=atl,DC=careerbuilder,DC=com** 
    > > 
    > > LDAPURI: **ldap://10.240.70.9** 
    > > 
    > > LDAPSEARCHFILTER: 
    **(sAMAccountName=*)(objectClass=person)** 
    > > 
    > > UIDTYPE: **DN** 
    > > 
    > > BINDPW: **Cb4netops!** 
    > > 
    > > USERINFO: **{ "username": "sAMAccountName", "surname" : 
    "sn", 
    > > "givenname" : "givenName" }** 
    > > 
    > > TIMEOUT: **5** 
    > > 
    > > SIZELIMIT: **500** 
    > > 
    > > NOREFERRALS: **1** 
    > > 
    > > LOGINNAMEATTRIBUTE: **sAMAccountName** 
    > > 
    > > Realm Configuration 
    > > ------------------- 
    > > Several resolvers are grouped into realms. 
    > > To learn more about realms read [#realms]_. 
    > > The following realms have been defined from the 
    resolvers: 
    > > 
    > > cbatl 
    > > ~~~~~~~~~~~~~~~ 
    > > * Name of the realm: cbatl 
    > > 
    > > **This is the default realm!** 
    > > 
    > > Users in the default realm can authenticate without 
    specifying the 
    > > realm. 
    > > Users not in the default realm always need to specify the 
    realm. 
    > > 
    > > The following resolvers are configured in this realm: 
    > > 
    > > * Name: cbatl-ldap 
    > >   Priority: None 
    > >   Type: ldapresolver 
    > > 
    > > Policy Configuration 
    > > -------------------- 
    > > Policies define the behaviour of privacyIDEA. 
    > > To learn more about policies read [#policies]_. 
    > > 
    > > The following policies are defined in your system: 
    > > 
    > > Web_Timeout 
    > > ~~~~~~~~~~~~~~~~~ 
    > > 
    > > user: **[u'*']** 
    > > 
    > > resolver: **[]** 
    > > 
    > > active: **True** 
    > > 
    > > adminrealm: **[]** 
    > > 
    > > condition: **0** 
    > > 
    > > realm: **[]** 
    > > 
    > > client: **[]** 
    > > 
    > > time: **** 
    > > 
    > > action: **{u'logout_time': u'300'}** 
    > > 
    > > scope: **webui** 
    > > 
    > > Token_Defaults 
    > > ~~~~~~~~~~~~~~~~~ 
    > > 
    > > user: **[u'*']** 
    > > 
    > > resolver: **[]** 
    > > 
    > > active: **True** 
    > > 
    > > adminrealm: **[]** 
    > > 
    > > condition: **0** 
    > > 
    > > realm: **[u'cbatl']** 
    > > 
    > > client: **[]** 
    > > 
    > > time: **** 
    > > 
    > > action: **{u'max_token_per_user': u'1', u'tokenlabel': 
    u'<r>\ 
    > > \<u>'}** 
    > > 
    > > scope: **enrollment** 
    > > 
    > > Self_Service 
    > > ~~~~~~~~~~~~~~~~~ 
    > > 
    > > user: **[u'*']** 
    > > 
    > > resolver: **[]** 
    > > 
    > > active: **True** 
    > > 
    > > adminrealm: **[]** 
    > > 
    > > condition: **0** 
    > > 
    > > realm: **[u'cbatl']** 
    > > 
    > > client: **[]** 
    > > 
    > > time: **** 
    > > 
    > > action: **{u'enrollTOTP': True, u'enable': True, 
    u'resync': True, 
    > > u'delete': True}** 
    > > 
    > > scope: **user** 
    > > 
    > > Machine Configuration 
    > > --------------------- 
    > > 
    > > **TODO** 
    > > 
    > > Token Configuration 
    > > ------------------- 
    > > 
    > > **TODO** 
    > > 
    > > CA Configuration 
    > > ---------------- 
    > > 
    > > **TODO** 
    > > 
    > > .. [#resolvers] 
    > >

http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm

    > > .. [#realms] 
    > >

5.2. Realms — privacyIDEA 3.8 documentation

    > > .. [#policies] 
    > > 
    http://privacyidea.readthedocs.org/en/latest/policies/index.h 
    > > 
    > 
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/9a6a18d2-048f-45ab-b2d8-611d9238a710%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
corneliu…@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Tom_Cole · July 15, 2015, 8:17pm

and even with the rule I am still gtting wrong otp pin

No_OTPPIN~~~~~~~~~~~~~~~~~

user: [u’*']

resolver: []

active: True

adminrealm: []

condition: 0

realm: [u’cbatl’]

client: []

time: ****

action: {u’otppin’: u’none’}

scope: authentication

On Wednesday, July 15, 2015 at 4:14:50 PM UTC-4, Tom Cole wrote:

Ok - that didnt work, but now I get this error:
DataError: (DataError) (1406, “Data too long for column ‘info’ at row 1”)
‘INSERT INTO pidea_audit (date, signature, action, success, serial,
token_type, user, realm, administrator, action_detail, info,
privacyidea_server, client, loglevel, clearance_level) VALUES (%s, %s, %s,
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)’ (datetime.datetime(2015,
7, 15, 16, 13, 5, 474569), ‘’, ‘POST /validate/check’, 0, None, None,
u’jomunoz.site’, u’cbatl’, None, ‘’, u"‘ascii’ codec can’t decode byte 0xdb
in position 0: ordinal not in range(128)", ‘127.0.0.1’, ‘127.0.0.1’, None,
None)
On Wednesday, July 15, 2015 at 3:48:52 PM UTC-4, Cornelius Kölbel wrote:
Hi Tom,

you can either reset the PIN by setting an empty PIN or…

if you are not using PIN or password at all (only OTP value), then you
can define a policy:

scope: authentication
action: otppin=none

7.3. Authentication policies — privacyIDEA 3.8 documentation

Then users will only authenticate with 123456.

Kind regards
Cornelius

Am Mittwoch, den 15.07.2015, 13:53 -0400 schrieb Tom Cole:
Ok - since there are no OTP pins how do I reset them? We don’t use
pins.
Cornelius Kölbel
July 15, 2015 at 13:30
If you reinstalled privacyIDEA and you restored the database then
old
token will not work.

The old tokens in the database will only work with the encryption
key /etc/privacyidea/enckey. This is used

to encrypt otp secrets, that are used to calculate the OTP values

hash or encrypt OTP pins, which may lead to “wrong pin”.

and encrypt LDAP bindpw.

Please reset the OTP PIN of a token and check again.
Resyncronize the token, as the counter in the token might be much
bigger
than the counter in the database.

Regarding the Client IP:
Were you using FreeRADIUS, too?

Then the request would originate from localhost.

Kind regards
Cornelius

Tom Cole
July 15, 2015 at 13:04
Someone deleted my VM yesterday with my PI server, so I recreated it
and restored the DB. Now I have 2 “errors”

Tokens already in DB fail with “wrong otp pin” even though no pin
was used

Client IP is always 127.0.0.1

Server info below:

privacyIDEA configuration documentation

System: QTXSNPI01.atl.careerbuilder.com

Date: 2015-07-15 13:03

PI.cfg

PI_HSM: default

PI_LOGFILE: /var/log/privacyidea/privacyidea.log

PI_AUDIT_KEY_PUBLIC: /etc/privacyidea/public.pem

PI_PEPPER: 6bLB1JquhkQTby48RRnyStl7

PI_ENCFILE: /etc/privacyidea/enckey

For security reason we do not display the SQL URI, as it may contain
the
database credentials.

PI_AUDIT_MODULE: privacyidea.lib.auditmodules.sqlaudit

PI_LOGLEVEL: 20

PI_AUDIT_KEY_PRIVATE: /etc/privacyidea/private.pem

SUPERUSER_REALM: [‘super’]
… note:: The SUPERUSER_REALM is a list of defined realms where the
users
will have administrative rights when logging in to the web UI.

Local Admins

In addition to the SUPERUSER_REALM there are local administrators
stored in
the database. The following administrators are defined:

admin ad...@localhost.com

System Base Configuration

timestamp: 2015-07-14 15:37:35.912288

IncFailCountOnFalsePin: True

Resolver Configuration

The following resolvers are defined. Resolvers are connections to
user stores.
To learn more about resolvers read [#resolvers]_.

cbatl-ldap
* Name of the resolver: cbatl-ldap 
* Type of the resolver: ldapresolver 

Configuration 
............. 

BINDDN: **cbatl\paldap** 

AUTHTYPE: **NTLM** 

LDAPFILTER: **(&(sAMAccountName=%s)(objectClass=person))** 

LDAPBASE: **CN=Users,DC=atl,DC=careerbuilder,DC=com** 

LDAPURI: **ldap://10.240.70.9** 

LDAPSEARCHFILTER: **(sAMAccountName=*)(objectClass=person)** 

UIDTYPE: **DN** 

BINDPW: **Cb4netops!** 

USERINFO: **{ "username": "sAMAccountName", "surname" : "sn", 
"givenname" : "givenName" }** 

TIMEOUT: **5** 

SIZELIMIT: **500** 

NOREFERRALS: **1** 

LOGINNAMEATTRIBUTE: **sAMAccountName** 

Realm Configuration 
------------------- 
Several resolvers are grouped into realms. 
To learn more about realms read [#realms]_. 
The following realms have been defined from the resolvers: 

cbatl 
~~~~~~~~~~~~~~~ 
* Name of the realm: cbatl 

**This is the default realm!** 

Users in the default realm can authenticate without specifying the 
realm. 
Users not in the default realm always need to specify the realm. 

The following resolvers are configured in this realm: 

* Name: cbatl-ldap 
 Priority: None 
 Type: ldapresolver 

Policy Configuration 
-------------------- 
Policies define the behaviour of privacyIDEA. 
To learn more about policies read [#policies]_. 

The following policies are defined in your system: 

Web_Timeout 
~~~~~~~~~~~~~~~~~ 

user: **[u'*']** 

resolver: **[]** 

active: **True** 

adminrealm: **[]** 

condition: **0** 

realm: **[]** 

client: **[]** 

time: **** 

action: **{u'logout_time': u'300'}** 

scope: **webui** 

Token_Defaults 
~~~~~~~~~~~~~~~~~ 

user: **[u'*']** 

resolver: **[]** 

active: **True** 

adminrealm: **[]** 

condition: **0** 

realm: **[u'cbatl']** 

client: **[]** 

time: **** 

action: **{u'max_token_per_user': u'1', u'tokenlabel': u'<r>\ 
\'}** 

scope: **enrollment** 

Self_Service 
~~~~~~~~~~~~~~~~~ 

user: **[u'*']** 

resolver: **[]** 

active: **True** 

adminrealm: **[]** 

condition: **0** 

realm: **[u'cbatl']** 

client: **[]** 

time: **** 

action: **{u'enrollTOTP': True, u'enable': True, u'resync': True, 
u'delete': True}** 

scope: **user** 

Machine Configuration 
--------------------- 

**TODO** 

Token Configuration 
------------------- 

**TODO** 

CA Configuration 
---------------- 

**TODO** 

.. [#resolvers] 
http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm

… [#realms]

5.2. Realms — privacyIDEA 3.8 documentation

… [#policies]
http://privacyidea.readthedocs.org/en/latest/policies/index.h

–
Cornelius Kölbel
corneliu…@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

cornelinux · July 15, 2015, 7:48pm

Hi Tom,

you can either reset the PIN by setting an empty PIN or…

if you are not using PIN or password at all (only OTP value), then you
can define a policy:

scope: authentication
action: otppin=none

http://privacyidea.readthedocs.org/en/latest/policies/authentication.html#otppin

Then users will only authenticate with 123456.

Kind regards
CorneliusAm Mittwoch, den 15.07.2015, 13:53 -0400 schrieb Tom Cole:

Ok - since there are no OTP pins how do I reset them? We don’t use
pins.
Cornelius Kölbel
July 15, 2015 at 13:30
If you reinstalled privacyIDEA and you restored the database then
old
token will not work.

The old tokens in the database will only work with the encryption
key /etc/privacyidea/enckey. This is used

to encrypt otp secrets, that are used to calculate the OTP values

hash or encrypt OTP pins, which may lead to “wrong pin”.

and encrypt LDAP bindpw.

Please reset the OTP PIN of a token and check again.
Resyncronize the token, as the counter in the token might be much
bigger
than the counter in the database.

Regarding the Client IP:
Were you using FreeRADIUS, too?

Then the request would originate from localhost.

Kind regards
Cornelius

Tom Cole
July 15, 2015 at 13:04
Someone deleted my VM yesterday with my PI server, so I recreated it
and restored the DB. Now I have 2 “errors”

Tokens already in DB fail with “wrong otp pin” even though no pin
was used

Client IP is always 127.0.0.1

Server info below:

privacyIDEA configuration documentation

System: QTXSNPI01.atl.careerbuilder.com

Date: 2015-07-15 13:03

PI.cfg

PI_HSM: default

PI_LOGFILE: /var/log/privacyidea/privacyidea.log

PI_AUDIT_KEY_PUBLIC: /etc/privacyidea/public.pem

PI_PEPPER: 6bLB1JquhkQTby48RRnyStl7

PI_ENCFILE: /etc/privacyidea/enckey

For security reason we do not display the SQL URI, as it may contain
the
database credentials.

PI_AUDIT_MODULE: privacyidea.lib.auditmodules.sqlaudit

PI_LOGLEVEL: 20

PI_AUDIT_KEY_PRIVATE: /etc/privacyidea/private.pem

SUPERUSER_REALM: [‘super’]
… note:: The SUPERUSER_REALM is a list of defined realms where the
users
will have administrative rights when logging in to the web UI.

Local Admins

In addition to the SUPERUSER_REALM there are local administrators
stored in
the database. The following administrators are defined:

admin admin@localhost.com

System Base Configuration

timestamp: 2015-07-14 15:37:35.912288

IncFailCountOnFalsePin: True

Resolver Configuration

The following resolvers are defined. Resolvers are connections to
user stores.
To learn more about resolvers read [#resolvers]_.

cbatl-ldap
* Name of the resolver: cbatl-ldap
* Type of the resolver: ldapresolver

Configuration
.............

BINDDN: **cbatl\paldap**

AUTHTYPE: **NTLM**

LDAPFILTER: **(&(sAMAccountName=%s)(objectClass=person))**

LDAPBASE: **CN=Users,DC=atl,DC=careerbuilder,DC=com**

LDAPURI: **ldap://10.240.70.9**

LDAPSEARCHFILTER: **(sAMAccountName=*)(objectClass=person)**

UIDTYPE: **DN**

BINDPW: **Cb4netops!**

USERINFO: **{ "username": "sAMAccountName", "surname" : "sn",
"givenname" : "givenName" }**

TIMEOUT: **5**

SIZELIMIT: **500**

NOREFERRALS: **1**

LOGINNAMEATTRIBUTE: **sAMAccountName**

Realm Configuration
-------------------
Several resolvers are grouped into realms.
To learn more about realms read [#realms]_.
The following realms have been defined from the resolvers:

cbatl
~~~~~~~~~~~~~~~
* Name of the realm: cbatl

**This is the default realm!**

Users in the default realm can authenticate without specifying the
realm.
Users not in the default realm always need to specify the realm.

The following resolvers are configured in this realm:

* Name: cbatl-ldap
 Priority: None
 Type: ldapresolver

Policy Configuration
--------------------
Policies define the behaviour of privacyIDEA.
To learn more about policies read [#policies]_.

The following policies are defined in your system:

Web_Timeout
~~~~~~~~~~~~~~~~~

user: **[u'*']**

resolver: **[]**

active: **True**

adminrealm: **[]**

condition: **0**

realm: **[]**

client: **[]**

time: ****

action: **{u'logout_time': u'300'}**

scope: **webui**

Token_Defaults
~~~~~~~~~~~~~~~~~

user: **[u'*']**

resolver: **[]**

active: **True**

adminrealm: **[]**

condition: **0**

realm: **[u'cbatl']**

client: **[]**

time: ****

action: **{u'max_token_per_user': u'1', u'tokenlabel': u'<r>\
\'}**

scope: **enrollment**

Self_Service
~~~~~~~~~~~~~~~~~

user: **[u'*']**

resolver: **[]**

active: **True**

adminrealm: **[]**

condition: **0**

realm: **[u'cbatl']**

client: **[]**

time: ****

action: **{u'enrollTOTP': True, u'enable': True, u'resync': True,
u'delete': True}**

scope: **user**

Machine Configuration
---------------------

**TODO**

Token Configuration
-------------------

**TODO**

CA Configuration
----------------

**TODO**

.. [#resolvers]
http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm
.. [#realms]
http://privacyidea.readthedocs.org/en/latest/configuration/realms.html
.. [#policies]
http://privacyidea.readthedocs.org/en/latest/policies/index.h

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

cornelinux · July 15, 2015, 8:33pm

Hi Tom,

ahem. Well, the idea is that the database administrator is not able to
steal sensitive data. Or sensitive data can not be read if transmitted
over IP to the database without SSL.
So several data in the database is encrypted.

The encryption is performed using an encryption key in the simplest way
in the file specified in the pi.cfg with the key PI_ENCFILE.
(see
2.5. The Config File — privacyIDEA 3.8 documentation)

So if you want to have a complete backup, you should at least backup the
enckey file once and the database every now and then.

Yes. If you just recovered the database, this database is…
…data garbage.

There might be a more elaborate chapter about backup and restore…

If you are running VMs the easiest way is to make a backup of the VM -
somewhere in the start. Later you can create snapshots/backups of the
database…

Kind regards
CorneliusAm Mittwoch, den 15.07.2015, 13:22 -0700 schrieb Tom Cole:

So my best option is to have everyone do a new token.

On Wednesday, July 15, 2015 at 4:20:40 PM UTC-4, Cornelius Kölbel wrote:
When do you get the error?
Can you please look into the log file or send the logfile with
the
entries leading to the database error?

    The system is trying to write something into the info column. 
    This might be a result to a faulty decryption. 
    resulting an a non-ascii character. 
    
    Anyway - if you really installed PI anew and just used the old
    database 
    without the enckey, than the old OTP data would be lost. 
    
    Kind regards 
    Cornelius 
    
    
    
    Am Mittwoch, den 15.07.2015, 13:14 -0700 schrieb Tom Cole: 
    > Ok - that didnt work, but now I get this error: 
    > DataError: (DataError) (1406, "Data too long for column
    'info' at row 
    > 1") 'INSERT INTO pidea_audit (date, signature, action,
    success, 
    > serial, token_type, user, realm, administrator,
    action_detail, info, 
    > privacyidea_server, client, loglevel, clearance_level)
    VALUES (%s, %s, 
    > %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, % 
    > s)' (datetime.datetime(2015, 7, 15, 16, 13, 5, 474569), '', 
    > 'POST /validate/check', 0, None, None, u'jomunoz.site',
    u'cbatl', 
    > None, '', u"'ascii' codec can't decode byte 0xdb in position
    0: 
    > ordinal not in range(128)", '127.0.0.1', '127.0.0.1', None,
    None) 
    > On Wednesday, July 15, 2015 at 3:48:52 PM UTC-4, Cornelius Kölbel  wrote: 
    >         Hi Tom, 
    >         
    >         you can either reset the PIN by setting an empty PIN
    or... 
    >         
    >         if you are not using PIN or password at all (only
    OTP value), 
    >         then you 
    >         can define a policy: 
    >         
    >         scope: authentication 
    >         action: otppin=none 
    >         
    >
    http://privacyidea.readthedocs.org/en/latest/policies/authentication.html#otppin 
    >         
    >         Then users will only authenticate with 123456. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         Am Mittwoch, den 15.07.2015, 13:53 -0400 schrieb Tom
    Cole: 
    >         > Ok - since there are no OTP pins how do I reset
    them?  We 
    >         don't use 
    >         > pins. 
    >         > 
    >         > > Cornelius Kölbel 
    >         > > July 15, 2015 at 13:30 
    >         > > If you reinstalled privacyIDEA and you restored
    the 
    >         database then 
    >         > > old 
    >         > > token will not work. 
    >         > > 
    >         > > The old tokens in the database will only work
    with the 
    >         encryption 
    >         > > key /etc/privacyidea/enckey. This is used 
    >         > > 
    >         > > 1. to encrypt otp secrets, that are used to
    calculate the 
    >         OTP values 
    >         > > 2. hash or encrypt OTP pins, which may lead to
    "wrong 
    >         pin". 
    >         > > 3. and encrypt LDAP bindpw. 
    >         > > 
    >         > > Please reset the OTP PIN of a token and check
    again. 
    >         > > Resyncronize the token, as the counter in the
    token might 
    >         be much 
    >         > > bigger 
    >         > > than the counter in the database. 
    >         > > 
    >         > > Regarding the Client IP: 
    >         > > Were you using FreeRADIUS, too? 
    >         > > 
    >         > > Then the request would originate from
    localhost. 
    >         > > 
    >         > > Kind regards 
    >         > > Cornelius 
    >         > > 
    >         > > 
    >         > > 
    >         > > 
    >         > > Tom Cole 
    >         > > July 15, 2015 at 13:04 
    >         > > Someone deleted my VM yesterday with my PI
    server, so I 
    >         recreated it 
    >         > > and restored the DB.  Now I have 2 "errors" 
    >         > > 1) Tokens already in DB fail with "wrong otp
    pin" even 
    >         though no pin 
    >         > > was used 
    >         > > 2) Client IP is always 127.0.0.1 
    >         > > 
    >         > > Server info below: 
    >         > > 
    >         > > privacyIDEA configuration documentation 
    >         > > ======================================= 
    >         > > 
    >         > > * System: QTXSNPI01.atl.careerbuilder.com 
    >         > > * Date: 2015-07-15 13:03 
    >         > > 
    >         > > PI.cfg 
    >         > > ------ 
    >         > > 
    >         > > PI_HSM: **default** 
    >         > > 
    >         > > PI_LOGFILE:
    **/var/log/privacyidea/privacyidea.log** 
    >         > > 
    >         > > PI_AUDIT_KEY_PUBLIC:
    **/etc/privacyidea/public.pem** 
    >         > > 
    >         > > PI_PEPPER: **6bLB1JquhkQTby48RRnyStl7** 
    >         > > 
    >         > > PI_ENCFILE: **/etc/privacyidea/enckey** 
    >         > > 
    >         > > For security reason we do not display the SQL
    URI, as it 
    >         may contain 
    >         > > the 
    >         > > database credentials. 
    >         > > 
    >         > > PI_AUDIT_MODULE: 
    >         **privacyidea.lib.auditmodules.sqlaudit** 
    >         > > 
    >         > > PI_LOGLEVEL: **20** 
    >         > > 
    >         > > PI_AUDIT_KEY_PRIVATE:
    **/etc/privacyidea/private.pem** 
    >         > > 
    >         > > SUPERUSER_REALM: **['super']** 
    >         > > .. note:: The SUPERUSER_REALM is a list of
    defined realms 
    >         where the 
    >         > > users 
    >         > >    will have administrative rights when logging
    in to the 
    >         web UI. 
    >         > > 
    >         > > Local Admins 
    >         > > ------------ 
    >         > > In addition to the SUPERUSER_REALM there are
    local 
    >         administrators 
    >         > > stored in 
    >         > > the database. The following administrators are
    defined: 
    >         > > 
    >         > > * **admin** <ad...@localhost.com> 
    >         > > 
    >         > > System Base Configuration 
    >         > > ------------------------- 
    >         > > 
    >         > > __timestamp__: **2015-07-14 15:37:35.912288** 
    >         > > 
    >         > > IncFailCountOnFalsePin: **True** 
    >         > > 
    >         > > Resolver Configuration 
    >         > > ---------------------- 
    >         > > The following resolvers are defined. Resolvers
    are 
    >         connections to 
    >         > > user stores. 
    >         > > To learn more about resolvers read
    [#resolvers]_. 
    >         > > 
    >         > > cbatl-ldap 
    >         > > ~~~~~~~~~~~~~~~~~~ 
    >         > > * Name of the resolver: cbatl-ldap 
    >         > > * Type of the resolver: ldapresolver 
    >         > > 
    >         > > Configuration 
    >         > > ............. 
    >         > > 
    >         > > BINDDN: **cbatl\paldap** 
    >         > > 
    >         > > AUTHTYPE: **NTLM** 
    >         > > 
    >         > > LDAPFILTER: **(&(sAMAccountName=% 
    >         s)(objectClass=person))** 
    >         > > 
    >         > > LDAPBASE:
    **CN=Users,DC=atl,DC=careerbuilder,DC=com** 
    >         > > 
    >         > > LDAPURI: **ldap://10.240.70.9** 
    >         > > 
    >         > > LDAPSEARCHFILTER: 
    >         **(sAMAccountName=*)(objectClass=person)** 
    >         > > 
    >         > > UIDTYPE: **DN** 
    >         > > 
    >         > > BINDPW: **Cb4netops!** 
    >         > > 
    >         > > USERINFO: **{ "username": "sAMAccountName",
    "surname" : 
    >         "sn", 
    >         > > "givenname" : "givenName" }** 
    >         > > 
    >         > > TIMEOUT: **5** 
    >         > > 
    >         > > SIZELIMIT: **500** 
    >         > > 
    >         > > NOREFERRALS: **1** 
    >         > > 
    >         > > LOGINNAMEATTRIBUTE: **sAMAccountName** 
    >         > > 
    >         > > Realm Configuration 
    >         > > ------------------- 
    >         > > Several resolvers are grouped into realms. 
    >         > > To learn more about realms read [#realms]_. 
    >         > > The following realms have been defined from the 
    >         resolvers: 
    >         > > 
    >         > > cbatl 
    >         > > ~~~~~~~~~~~~~~~ 
    >         > > * Name of the realm: cbatl 
    >         > > 
    >         > > **This is the default realm!** 
    >         > > 
    >         > > Users in the default realm can authenticate
    without 
    >         specifying the 
    >         > > realm. 
    >         > > Users not in the default realm always need to
    specify the 
    >         realm. 
    >         > > 
    >         > > The following resolvers are configured in this
    realm: 
    >         > > 
    >         > > * Name: cbatl-ldap 
    >         > >   Priority: None 
    >         > >   Type: ldapresolver 
    >         > > 
    >         > > Policy Configuration 
    >         > > -------------------- 
    >         > > Policies define the behaviour of privacyIDEA. 
    >         > > To learn more about policies read [#policies]_. 
    >         > > 
    >         > > The following policies are defined in your
    system: 
    >         > > 
    >         > > Web_Timeout 
    >         > > ~~~~~~~~~~~~~~~~~ 
    >         > > 
    >         > > user: **[u'*']** 
    >         > > 
    >         > > resolver: **[]** 
    >         > > 
    >         > > active: **True** 
    >         > > 
    >         > > adminrealm: **[]** 
    >         > > 
    >         > > condition: **0** 
    >         > > 
    >         > > realm: **[]** 
    >         > > 
    >         > > client: **[]** 
    >         > > 
    >         > > time: **** 
    >         > > 
    >         > > action: **{u'logout_time': u'300'}** 
    >         > > 
    >         > > scope: **webui** 
    >         > > 
    >         > > Token_Defaults 
    >         > > ~~~~~~~~~~~~~~~~~ 
    >         > > 
    >         > > user: **[u'*']** 
    >         > > 
    >         > > resolver: **[]** 
    >         > > 
    >         > > active: **True** 
    >         > > 
    >         > > adminrealm: **[]** 
    >         > > 
    >         > > condition: **0** 
    >         > > 
    >         > > realm: **[u'cbatl']** 
    >         > > 
    >         > > client: **[]** 
    >         > > 
    >         > > time: **** 
    >         > > 
    >         > > action: **{u'max_token_per_user': u'1',
    u'tokenlabel': 
    >         u'<r>\ 
    >         > > \<u>'}** 
    >         > > 
    >         > > scope: **enrollment** 
    >         > > 
    >         > > Self_Service 
    >         > > ~~~~~~~~~~~~~~~~~ 
    >         > > 
    >         > > user: **[u'*']** 
    >         > > 
    >         > > resolver: **[]** 
    >         > > 
    >         > > active: **True** 
    >         > > 
    >         > > adminrealm: **[]** 
    >         > > 
    >         > > condition: **0** 
    >         > > 
    >         > > realm: **[u'cbatl']** 
    >         > > 
    >         > > client: **[]** 
    >         > > 
    >         > > time: **** 
    >         > > 
    >         > > action: **{u'enrollTOTP': True, u'enable':
    True, 
    >         u'resync': True, 
    >         > > u'delete': True}** 
    >         > > 
    >         > > scope: **user** 
    >         > > 
    >         > > Machine Configuration 
    >         > > --------------------- 
    >         > > 
    >         > > **TODO** 
    >         > > 
    >         > > Token Configuration 
    >         > > ------------------- 
    >         > > 
    >         > > **TODO** 
    >         > > 
    >         > > CA Configuration 
    >         > > ---------------- 
    >         > > 
    >         > > **TODO** 
    >         > > 
    >         > > .. [#resolvers] 
    >         > > 
    >
    http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm 
    >         > > .. [#realms] 
    >         > > 
    >
    http://privacyidea.readthedocs.org/en/latest/configuration/realms.html 
    >         > > .. [#policies] 
    >         > > 
    >
    http://privacyidea.readthedocs.org/en/latest/policies/index.h 
    >         > > 
    >         > 
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/9a6a18d2-048f-45ab-b2d8-611d9238a710%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/dc797822-5055-47e9-bb3d-f72362787693%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

cornelinux · July 15, 2015, 5:30pm

If you reinstalled privacyIDEA and you restored the database then old
token will not work.

The old tokens in the database will only work with the encryption
key /etc/privacyidea/enckey. This is used

to encrypt otp secrets, that are used to calculate the OTP values
hash or encrypt OTP pins, which may lead to “wrong pin”.
and encrypt LDAP bindpw.

Please reset the OTP PIN of a token and check again.
Resyncronize the token, as the counter in the token might be much bigger
than the counter in the database.

Regarding the Client IP:
Were you using FreeRADIUS, too?

Then the request would originate from localhost.

Kind regards
CorneliusAm Mittwoch, den 15.07.2015, 10:04 -0700 schrieb Tom Cole:

Someone deleted my VM yesterday with my PI server, so I recreated it
and restored the DB. Now I have 2 “errors”

Tokens already in DB fail with “wrong otp pin” even though no pin
was used

Client IP is always 127.0.0.1

Server info below:

privacyIDEA configuration documentation

System: QTXSNPI01.atl.careerbuilder.com

Date: 2015-07-15 13:03

PI.cfg

PI_HSM: default

PI_LOGFILE: /var/log/privacyidea/privacyidea.log

PI_AUDIT_KEY_PUBLIC: /etc/privacyidea/public.pem

PI_PEPPER: 6bLB1JquhkQTby48RRnyStl7

PI_ENCFILE: /etc/privacyidea/enckey

For security reason we do not display the SQL URI, as it may contain
the
database credentials.

PI_AUDIT_MODULE: privacyidea.lib.auditmodules.sqlaudit

PI_LOGLEVEL: 20

PI_AUDIT_KEY_PRIVATE: /etc/privacyidea/private.pem

SUPERUSER_REALM: [‘super’]
… note:: The SUPERUSER_REALM is a list of defined realms where the
users
will have administrative rights when logging in to the web UI.

Local Admins

In addition to the SUPERUSER_REALM there are local administrators
stored in
the database. The following administrators are defined:

admin admin@localhost.com

System Base Configuration

timestamp: 2015-07-14 15:37:35.912288

IncFailCountOnFalsePin: True

Resolver Configuration

The following resolvers are defined. Resolvers are connections to user
stores.
To learn more about resolvers read [#resolvers]_.

cbatl-ldap
* Name of the resolver: cbatl-ldap
* Type of the resolver: ldapresolver

Configuration
.............

BINDDN: **cbatl\paldap**

AUTHTYPE: **NTLM**

LDAPFILTER: **(&(sAMAccountName=%s)(objectClass=person))**

LDAPBASE: **CN=Users,DC=atl,DC=careerbuilder,DC=com**

LDAPURI: **ldap://10.240.70.9**

LDAPSEARCHFILTER: **(sAMAccountName=*)(objectClass=person)**

UIDTYPE: **DN**

BINDPW: **Cb4netops!**

USERINFO: **{ "username": "sAMAccountName", "surname" : "sn",
"givenname" : "givenName" }**

TIMEOUT: **5**

SIZELIMIT: **500**

NOREFERRALS: **1**

LOGINNAMEATTRIBUTE: **sAMAccountName**

Realm Configuration
-------------------
Several resolvers are grouped into realms.
To learn more about realms read [#realms]_.
The following realms have been defined from the resolvers:

cbatl
~~~~~~~~~~~~~~~
* Name of the realm: cbatl

**This is the default realm!**

Users in the default realm can authenticate without specifying the
realm.
Users not in the default realm always need to specify the realm.

The following resolvers are configured in this realm:

* Name: cbatl-ldap
 Priority: None
 Type: ldapresolver

Policy Configuration
--------------------
Policies define the behaviour of privacyIDEA.
To learn more about policies read [#policies]_.

The following policies are defined in your system:

Web_Timeout
~~~~~~~~~~~~~~~~~

user: **[u'*']**

resolver: **[]**

active: **True**

adminrealm: **[]**

condition: **0**

realm: **[]**

client: **[]**

time: ****

action: **{u'logout_time': u'300'}**

scope: **webui**

Token_Defaults
~~~~~~~~~~~~~~~~~

user: **[u'*']**

resolver: **[]**

active: **True**

adminrealm: **[]**

condition: **0**

realm: **[u'cbatl']**

client: **[]**

time: ****

action: **{u'max_token_per_user': u'1', u'tokenlabel': u'<r>\\'}**

scope: **enrollment**

Self_Service
~~~~~~~~~~~~~~~~~

user: **[u'*']**

resolver: **[]**

active: **True**

adminrealm: **[]**

condition: **0**

realm: **[u'cbatl']**

client: **[]**

time: ****

action: **{u'enrollTOTP': True, u'enable': True, u'resync': True,
u'delete': True}**

scope: **user**

Machine Configuration
---------------------

**TODO**

Token Configuration
-------------------

**TODO**

CA Configuration
----------------

**TODO**

.. [#resolvers]
http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm
.. [#realms]
http://privacyidea.readthedocs.org/en/latest/configuration/realms.html
.. [#policies]
http://privacyidea.readthedocs.org/en/latest/policies/index.h

-- 
You received this message because you are subscribed to the Google
Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/3fd41270-0277-413a-a4e0-cf07f2d3a34a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Tom_Cole · July 15, 2015, 5:53pm

Ok - since there are no OTP pins how do I reset them? We don’t use pins.> Cornelius Kölbel mailto:cornelius.koelbel@netknights.it

July 15, 2015 at 13:30
If you reinstalled privacyIDEA and you restored the database then old
token will not work.

The old tokens in the database will only work with the encryption
key /etc/privacyidea/enckey. This is used

to encrypt otp secrets, that are used to calculate the OTP values

hash or encrypt OTP pins, which may lead to “wrong pin”.

and encrypt LDAP bindpw.

Please reset the OTP PIN of a token and check again.
Resyncronize the token, as the counter in the token might be much bigger
than the counter in the database.

Regarding the Client IP:
Were you using FreeRADIUS, too?

Then the request would originate from localhost.

Kind regards
Cornelius

Tom Cole mailto:Tom_Cole
July 15, 2015 at 13:04
Someone deleted my VM yesterday with my PI server, so I recreated it
and restored the DB. Now I have 2 “errors”

Tokens already in DB fail with “wrong otp pin” even though no pin
was used

Client IP is always 127.0.0.1

Server info below:

privacyIDEA configuration documentation

System: QTXSNPI01.atl.careerbuilder.com

Date: 2015-07-15 13:03

PI.cfg

PI_HSM: default

PI_LOGFILE: /var/log/privacyidea/privacyidea.log

PI_AUDIT_KEY_PUBLIC: /etc/privacyidea/public.pem

PI_PEPPER: 6bLB1JquhkQTby48RRnyStl7

PI_ENCFILE: /etc/privacyidea/enckey

For security reason we do not display the SQL URI, as it may contain the
database credentials.

PI_AUDIT_MODULE: privacyidea.lib.auditmodules.sqlaudit

PI_LOGLEVEL: 20

PI_AUDIT_KEY_PRIVATE: /etc/privacyidea/private.pem

SUPERUSER_REALM: [‘super’]
… note:: The SUPERUSER_REALM is a list of defined realms where the users
will have administrative rights when logging in to the web UI.

Local Admins

In addition to the SUPERUSER_REALM there are local administrators
stored in
the database. The following administrators are defined:

admin admin@localhost.com

System Base Configuration

timestamp: 2015-07-14 15:37:35.912288

IncFailCountOnFalsePin: True

Resolver Configuration

The following resolvers are defined. Resolvers are connections to user
stores.
To learn more about resolvers read [#resolvers]_.

cbatl-ldap
* Name of the resolver: cbatl-ldap
* Type of the resolver: ldapresolver

Configuration
.............

BINDDN: **cbatl\paldap**

AUTHTYPE: **NTLM**

LDAPFILTER: **(&(sAMAccountName=%s)(objectClass=person))**

LDAPBASE: **CN=Users,DC=atl,DC=careerbuilder,DC=com**

LDAPURI: **ldap://10.240.70.9**

LDAPSEARCHFILTER: **(sAMAccountName=*)(objectClass=person)**

UIDTYPE: **DN**

BINDPW: **Cb4netops!**

USERINFO: **{ "username": "sAMAccountName", "surname" : "sn", 
"givenname" : "givenName" }**

TIMEOUT: **5**

SIZELIMIT: **500**

NOREFERRALS: **1**

LOGINNAMEATTRIBUTE: **sAMAccountName**

Realm Configuration
-------------------
Several resolvers are grouped into realms.
To learn more about realms read [#realms]_.
The following realms have been defined from the resolvers:

cbatl
~~~~~~~~~~~~~~~
* Name of the realm: cbatl

**This is the default realm!**

Users in the default realm can authenticate without specifying the realm.
Users not in the default realm always need to specify the realm.

The following resolvers are configured in this realm:

* Name: cbatl-ldap
 Priority: None
 Type: ldapresolver

Policy Configuration
--------------------
Policies define the behaviour of privacyIDEA.
To learn more about policies read [#policies]_.

The following policies are defined in your system:

Web_Timeout
~~~~~~~~~~~~~~~~~

user: **[u'*']**

resolver: **[]**

active: **True**

adminrealm: **[]**

condition: **0**

realm: **[]**

client: **[]**

time: ****

action: **{u'logout_time': u'300'}**

scope: **webui**

Token_Defaults
~~~~~~~~~~~~~~~~~

user: **[u'*']**

resolver: **[]**

active: **True**

adminrealm: **[]**

condition: **0**

realm: **[u'cbatl']**

client: **[]**

time: ****

action: **{u'max_token_per_user': u'1', u'tokenlabel': u'<r>\\'}**

scope: **enrollment**

Self_Service
~~~~~~~~~~~~~~~~~

user: **[u'*']**

resolver: **[]**

active: **True**

adminrealm: **[]**

condition: **0**

realm: **[u'cbatl']**

client: **[]**

time: ****

action: **{u'enrollTOTP': True, u'enable': True, u'resync': True, 
u'delete': True}**

scope: **user**

Machine Configuration
---------------------

**TODO**

Token Configuration
-------------------

**TODO**

CA Configuration
----------------

**TODO**

.. [#resolvers] 
http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm
.. [#realms] 
http://privacyidea.readthedocs.org/en/latest/configuration/realms.html
.. [#policies] 
http://privacyidea.readthedocs.org/en/latest/policies/index.h
-- 
You received this message because you are subscribed to a topic in the 
Google Groups "privacyidea" group.
To unsubscribe from this topic, visit 
https://groups.google.com/d/topic/privacyidea/w5CFAn3FnIY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to 
privacyidea+unsubscribe@googlegroups.com 
<mailto:privacyidea+unsubscribe@googlegroups.com>.
To post to this group, send email to privacyidea@googlegroups.com 
<mailto:privacyidea@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/privacyidea/3fd41270-0277-413a-a4e0-cf07f2d3a34a%40googlegroups.com 
<https://groups.google.com/d/msgid/privacyidea/3fd41270-0277-413a-a4e0-cf07f2d3a34a%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

Tom_Cole · July 15, 2015, 8:38pm

Darn - and garbage day was Monday. Dont worry, this time I took a
snapshot of the VM, just in case.On Wednesday, July 15, 2015 at 4:33:43 PM UTC-4, Cornelius Kölbel wrote:

Hi Tom,

ahem. Well, the idea is that the database administrator is not able to
steal sensitive data. Or sensitive data can not be read if transmitted
over IP to the database without SSL.
So several data in the database is encrypted.

The encryption is performed using an encryption key in the simplest way
in the file specified in the pi.cfg with the key PI_ENCFILE.
(see

2.5. The Config File — privacyIDEA 3.8 documentation)

So if you want to have a complete backup, you should at least backup the
enckey file once and the database every now and then.

Yes. If you just recovered the database, this database is…
…data garbage.

There might be a more elaborate chapter about backup and restore…

If you are running VMs the easiest way is to make a backup of the VM -
somewhere in the start. Later you can create snapshots/backups of the
database…

Kind regards
Cornelius

Am Mittwoch, den 15.07.2015, 13:22 -0700 schrieb Tom Cole:

So my best option is to have everyone do a new token.

On Wednesday, July 15, 2015 at 4:20:40 PM UTC-4, Cornelius Kölbel wrote:
When do you get the error?
Can you please look into the log file or send the logfile with
the
entries leading to the database error?

    The system is trying to write something into the info column. 
    This might be a result to a faulty decryption. 
    resulting an a non-ascii character. 
    
    Anyway - if you really installed PI anew and just used the old 
    database 
    without the enckey, than the old OTP data would be lost. 
    
    Kind regards 
    Cornelius 
    
    
    
    Am Mittwoch, den 15.07.2015, 13:14 -0700 schrieb Tom Cole: 
    > Ok - that didnt work, but now I get this error: 
    > DataError: (DataError) (1406, "Data too long for column 
    'info' at row 
    > 1") 'INSERT INTO pidea_audit (date, signature, action, 
    success, 
    > serial, token_type, user, realm, administrator, 
    action_detail, info, 
    > privacyidea_server, client, loglevel, clearance_level) 
    VALUES (%s, %s, 
    > %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, % 
    > s)' (datetime.datetime(2015, 7, 15, 16, 13, 5, 474569), '', 
    > 'POST /validate/check', 0, None, None, u'jomunoz.site', 
    u'cbatl', 
    > None, '', u"'ascii' codec can't decode byte 0xdb in position 
    0: 
    > ordinal not in range(128)", '127.0.0.1', '127.0.0.1', None, 
    None) 
    > On Wednesday, July 15, 2015 at 3:48:52 PM UTC-4, Cornelius  Kölbel  wrote: 
    >         Hi Tom, 
    >         
    >         you can either reset the PIN by setting an empty PIN 
    or... 
    >         
    >         if you are not using PIN or password at all (only 
    OTP value), 
    >         then you 
    >         can define a policy: 
    >         
    >         scope: authentication 
    >         action: otppin=none 
    >         
    >

7.3. Authentication policies — privacyIDEA 3.8 documentation

    >         
    >         Then users will only authenticate with 123456. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         Am Mittwoch, den 15.07.2015, 13:53 -0400 schrieb Tom 
    Cole: 
    >         > Ok - since there are no OTP pins how do I reset 
    them?  We 
    >         don't use 
    >         > pins. 
    >         > 
    >         > > Cornelius Kölbel 
    >         > > July 15, 2015 at 13:30 
    >         > > If you reinstalled privacyIDEA and you restored 
    the 
    >         database then 
    >         > > old 
    >         > > token will not work. 
    >         > > 
    >         > > The old tokens in the database will only work 
    with the 
    >         encryption 
    >         > > key /etc/privacyidea/enckey. This is used 
    >         > > 
    >         > > 1. to encrypt otp secrets, that are used to 
    calculate the 
    >         OTP values 
    >         > > 2. hash or encrypt OTP pins, which may lead to 
    "wrong 
    >         pin". 
    >         > > 3. and encrypt LDAP bindpw. 
    >         > > 
    >         > > Please reset the OTP PIN of a token and check 
    again. 
    >         > > Resyncronize the token, as the counter in the 
    token might 
    >         be much 
    >         > > bigger 
    >         > > than the counter in the database. 
    >         > > 
    >         > > Regarding the Client IP: 
    >         > > Were you using FreeRADIUS, too? 
    >         > > 
    >         > > Then the request would originate from 
    localhost. 
    >         > > 
    >         > > Kind regards 
    >         > > Cornelius 
    >         > > 
    >         > > 
    >         > > 
    >         > > 
    >         > > Tom Cole 
    >         > > July 15, 2015 at 13:04 
    >         > > Someone deleted my VM yesterday with my PI 
    server, so I 
    >         recreated it 
    >         > > and restored the DB.  Now I have 2 "errors" 
    >         > > 1) Tokens already in DB fail with "wrong otp 
    pin" even 
    >         though no pin 
    >         > > was used 
    >         > > 2) Client IP is always 127.0.0.1 
    >         > > 
    >         > > Server info below: 
    >         > > 
    >         > > privacyIDEA configuration documentation 
    >         > > ======================================= 
    >         > > 
    >         > > * System: QTXSNPI01.atl.careerbuilder.com 
    >         > > * Date: 2015-07-15 13:03 
    >         > > 
    >         > > PI.cfg 
    >         > > ------ 
    >         > > 
    >         > > PI_HSM: **default** 
    >         > > 
    >         > > PI_LOGFILE: 
    **/var/log/privacyidea/privacyidea.log** 
    >         > > 
    >         > > PI_AUDIT_KEY_PUBLIC: 
    **/etc/privacyidea/public.pem** 
    >         > > 
    >         > > PI_PEPPER: **6bLB1JquhkQTby48RRnyStl7** 
    >         > > 
    >         > > PI_ENCFILE: **/etc/privacyidea/enckey** 
    >         > > 
    >         > > For security reason we do not display the SQL 
    URI, as it 
    >         may contain 
    >         > > the 
    >         > > database credentials. 
    >         > > 
    >         > > PI_AUDIT_MODULE: 
    >         **privacyidea.lib.auditmodules.sqlaudit** 
    >         > > 
    >         > > PI_LOGLEVEL: **20** 
    >         > > 
    >         > > PI_AUDIT_KEY_PRIVATE: 
    **/etc/privacyidea/private.pem** 
    >         > > 
    >         > > SUPERUSER_REALM: **['super']** 
    >         > > .. note:: The SUPERUSER_REALM is a list of 
    defined realms 
    >         where the 
    >         > > users 
    >         > >    will have administrative rights when logging 
    in to the 
    >         web UI. 
    >         > > 
    >         > > Local Admins 
    >         > > ------------ 
    >         > > In addition to the SUPERUSER_REALM there are 
    local 
    >         administrators 
    >         > > stored in 
    >         > > the database. The following administrators are 
    defined: 
    >         > > 
    >         > > * **admin** <ad...@localhost.com> 
    >         > > 
    >         > > System Base Configuration 
    >         > > ------------------------- 
    >         > > 
    >         > > __timestamp__: **2015-07-14 15:37:35.912288** 
    >         > > 
    >         > > IncFailCountOnFalsePin: **True** 
    >         > > 
    >         > > Resolver Configuration 
    >         > > ---------------------- 
    >         > > The following resolvers are defined. Resolvers 
    are 
    >         connections to 
    >         > > user stores. 
    >         > > To learn more about resolvers read 
    [#resolvers]_. 
    >         > > 
    >         > > cbatl-ldap 
    >         > > ~~~~~~~~~~~~~~~~~~ 
    >         > > * Name of the resolver: cbatl-ldap 
    >         > > * Type of the resolver: ldapresolver 
    >         > > 
    >         > > Configuration 
    >         > > ............. 
    >         > > 
    >         > > BINDDN: **cbatl\paldap** 
    >         > > 
    >         > > AUTHTYPE: **NTLM** 
    >         > > 
    >         > > LDAPFILTER: **(&(sAMAccountName=% 
    >         s)(objectClass=person))** 
    >         > > 
    >         > > LDAPBASE: 
    **CN=Users,DC=atl,DC=careerbuilder,DC=com** 
    >         > > 
    >         > > LDAPURI: **ldap://10.240.70.9** 
    >         > > 
    >         > > LDAPSEARCHFILTER: 
    >         **(sAMAccountName=*)(objectClass=person)** 
    >         > > 
    >         > > UIDTYPE: **DN** 
    >         > > 
    >         > > BINDPW: **Cb4netops!** 
    >         > > 
    >         > > USERINFO: **{ "username": "sAMAccountName", 
    "surname" : 
    >         "sn", 
    >         > > "givenname" : "givenName" }** 
    >         > > 
    >         > > TIMEOUT: **5** 
    >         > > 
    >         > > SIZELIMIT: **500** 
    >         > > 
    >         > > NOREFERRALS: **1** 
    >         > > 
    >         > > LOGINNAMEATTRIBUTE: **sAMAccountName** 
    >         > > 
    >         > > Realm Configuration 
    >         > > ------------------- 
    >         > > Several resolvers are grouped into realms. 
    >         > > To learn more about realms read [#realms]_. 
    >         > > The following realms have been defined from the 
    >         resolvers: 
    >         > > 
    >         > > cbatl 
    >         > > ~~~~~~~~~~~~~~~ 
    >         > > * Name of the realm: cbatl 
    >         > > 
    >         > > **This is the default realm!** 
    >         > > 
    >         > > Users in the default realm can authenticate 
    without 
    >         specifying the 
    >         > > realm. 
    >         > > Users not in the default realm always need to 
    specify the 
    >         realm. 
    >         > > 
    >         > > The following resolvers are configured in this 
    realm: 
    >         > > 
    >         > > * Name: cbatl-ldap 
    >         > >   Priority: None 
    >         > >   Type: ldapresolver 
    >         > > 
    >         > > Policy Configuration 
    >         > > -------------------- 
    >         > > Policies define the behaviour of privacyIDEA. 
    >         > > To learn more about policies read [#policies]_. 
    >         > > 
    >         > > The following policies are defined in your 
    system: 
    >         > > 
    >         > > Web_Timeout 
    >         > > ~~~~~~~~~~~~~~~~~ 
    >         > > 
    >         > > user: **[u'*']** 
    >         > > 
    >         > > resolver: **[]** 
    >         > > 
    >         > > active: **True** 
    >         > > 
    >         > > adminrealm: **[]** 
    >         > > 
    >         > > condition: **0** 
    >         > > 
    >         > > realm: **[]** 
    >         > > 
    >         > > client: **[]** 
    >         > > 
    >         > > time: **** 
    >         > > 
    >         > > action: **{u'logout_time': u'300'}** 
    >         > > 
    >         > > scope: **webui** 
    >         > > 
    >         > > Token_Defaults 
    >         > > ~~~~~~~~~~~~~~~~~ 
    >         > > 
    >         > > user: **[u'*']** 
    >         > > 
    >         > > resolver: **[]** 
    >         > > 
    >         > > active: **True** 
    >         > > 
    >         > > adminrealm: **[]** 
    >         > > 
    >         > > condition: **0** 
    >         > > 
    >         > > realm: **[u'cbatl']** 
    >         > > 
    >         > > client: **[]** 
    >         > > 
    >         > > time: **** 
    >         > > 
    >         > > action: **{u'max_token_per_user': u'1', 
    u'tokenlabel': 
    >         u'<r>\ 
    >         > > \<u>'}** 
    >         > > 
    >         > > scope: **enrollment** 
    >         > > 
    >         > > Self_Service 
    >         > > ~~~~~~~~~~~~~~~~~ 
    >         > > 
    >         > > user: **[u'*']** 
    >         > > 
    >         > > resolver: **[]** 
    >         > > 
    >         > > active: **True** 
    >         > > 
    >         > > adminrealm: **[]** 
    >         > > 
    >         > > condition: **0** 
    >         > > 
    >         > > realm: **[u'cbatl']** 
    >         > > 
    >         > > client: **[]** 
    >         > > 
    >         > > time: **** 
    >         > > 
    >         > > action: **{u'enrollTOTP': True, u'enable': 
    True, 
    >         u'resync': True, 
    >         > > u'delete': True}** 
    >         > > 
    >         > > scope: **user** 
    >         > > 
    >         > > Machine Configuration 
    >         > > --------------------- 
    >         > > 
    >         > > **TODO** 
    >         > > 
    >         > > Token Configuration 
    >         > > ------------------- 
    >         > > 
    >         > > **TODO** 
    >         > > 
    >         > > CA Configuration 
    >         > > ---------------- 
    >         > > 
    >         > > **TODO** 
    >         > > 
    >         > > .. [#resolvers] 
    >         > > 
    >

http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm

    >         > > .. [#realms] 
    >         > > 
    >

5.2. Realms — privacyIDEA 3.8 documentation

    >         > > .. [#policies] 
    >         > > 
    > 
    http://privacyidea.readthedocs.org/en/latest/policies/index.h 
    >         > > 
    >         > 
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >

https://groups.google.com/d/msgid/privacyidea/9a6a18d2-048f-45ab-b2d8-611d9238a710%40googlegroups.com.

> For more options, visit https://groups.google.com/d/optout. 
 
 -- 
 Cornelius Kölbel 
 corneliu...@netknights.it 
 +49 151 2960 1417 
 
 NetKnights GmbH 
 http://www.netknights.it 
 Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
 Tel: +49 561 3166797, Fax: +49 561 3166798 
 
 Amtsgericht Kassel, HRB 16405 
 Geschäftsführer: Cornelius Kölbel 
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/dc797822-5055-47e9-bb3d-f72362787693%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel