Linotp migration

Light · January 25, 2021, 6:40pm

Hello,
I follow your instructions about how to migrate linotp tokens to privacyidea.
I did it and I’m seeing all the tokens in the token list.
The problem is when I’m trying to test token i’m getting “500 internal server error”.
Any idea?

Thank you

cornelinux · January 25, 2021, 9:12pm

Hi @Light,
welcome here. Good decision to get rid of LinOTP. After all this was a great software years ago but did not develop a lot anymore. (just my 2 cents)
I will give you hints, not complete instructions. I will do no support request here. I do not have to earn any karma points anymore
Maybe someone else will…
My goal is, that you are able to you solve your problem yourself!

When you encounter a “500 internal server error” there is a problem in the execution of the code.
So in this case you will always have to take a look at the privacyidea.log and most probably also at the webserver log.

PS: which instruction did you follow? It always helps to link what you did!

Light · January 26, 2021, 5:56am

hi cornelinux and thanks for your answer,
i follow this post:

this is the log’ i`m seeing a problem:

[2021-01-25 02:22:59,844][19769][140044729173760][INFO][privacyidea.lib.user:233] user 'test100' found in resolver 'global'
[2021-01-25 02:22:59,845][19769][140044729173760][INFO][privacyidea.lib.user:234] userid resolved to '11a088d9-12a6-4aa9-9256-57bf423a80b6'
[2021-01-25 02:22:59,865][19769][140044729173760][ERROR][privacyidea.app:1892] Exception on /validate/check [GET]
Traceback (most recent call last):
  File "/opt/privacyidea/lib/python3.6/site-packages/flask/app.py", line 2447, in wsgi_app
    response = self.full_dispatch_request()
  File "/opt/privacyidea/lib/python3.6/site-packages/flask/app.py", line 1952, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/opt/privacyidea/lib/python3.6/site-packages/flask/app.py", line 1821, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/opt/privacyidea/lib/python3.6/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/opt/privacyidea/lib/python3.6/site-packages/flask/app.py", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "/opt/privacyidea/lib/python3.6/site-packages/flask/app.py", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/lib/postpolicy.py", line 108, in policy_wrapper
    response = wrapped_function(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/lib/postpolicy.py", line 108, in policy_wrapper
    response = wrapped_function(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/lib/postpolicy.py", line 108, in policy_wrapper
    response = wrapped_function(*args, **kwds)
  [Previous line repeated 8 more times]
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/lib/decorators.py", line 41, in function_wrapper
    response = wrapped_function(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/lib/prepolicy.py", line 154, in policy_wrapper
    return wrapped_function(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/lib/prepolicy.py", line 154, in policy_wrapper
    return wrapped_function(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/lib/prepolicy.py", line 154, in policy_wrapper
    return wrapped_function(*args, **kwds)
  [Previous line repeated 5 more times]
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/decorators.py", line 100, in check_user_or_serial_in_request_wrapper
    f_result = func(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/subscriptions.py", line 333, in check_subscription_wrapper
    f_result = func(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/lib/prepolicy.py", line 154, in policy_wrapper
    return wrapped_function(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/event.py", line 99, in event_wrapper
    f_result = func(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/validate.py", line 396, in check
    success, details = check_user_pass(user, password, options=options)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policydecorators.py", line 93, in policy_wrapper
    return self.decorator_function(wrapped_function, *args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policydecorators.py", line 186, in auth_cache
    res, reply_dict = wrapped_function(user_object, passw, options)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policydecorators.py", line 93, in policy_wrapper
    return self.decorator_function(wrapped_function, *args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policydecorators.py", line 254, in auth_user_does_not_exist
    return wrapped_function(user_object, passw, options)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policydecorators.py", line 93, in policy_wrapper
    return self.decorator_function(wrapped_function, *args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policydecorators.py", line 223, in auth_user_has_no_token
    return wrapped_function(user_object, passw, options)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policydecorators.py", line 93, in policy_wrapper
    return self.decorator_function(wrapped_function, *args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policydecorators.py", line 355, in auth_user_timelimit
    res, reply_dict = wrapped_function(user_object, passw, options)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policydecorators.py", line 93, in policy_wrapper
    return self.decorator_function(wrapped_function, *args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policydecorators.py", line 442, in auth_lastauth
    res, reply_dict = wrapped_function(user_or_serial, passw, options)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policydecorators.py", line 93, in policy_wrapper
    return self.decorator_function(wrapped_function, *args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policydecorators.py", line 332, in auth_user_passthru
    return wrapped_function(user_object, passw, options)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/log.py", line 155, in log_wrapper
    return func(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/token.py", line 2052, in check_user_pass
    allow_reset_all_tokens=True)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/log.py", line 155, in log_wrapper
    return func(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policydecorators.py", line 93, in policy_wrapper
    return self.decorator_function(wrapped_function, *args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policydecorators.py", line 638, in reset_all_user_tokens
    r = wrapped_function(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policydecorators.py", line 93, in policy_wrapper
    return self.decorator_function(wrapped_function, *args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/challengeresponsedecorators.py", line 150, in generic_challenge_response_reset_pin
    success, reply_dict = wrapped_function(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/token.py", line 2206, in check_token_list
    tokenobject.authenticate(passw, user, options=options)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/decorators.py", line 45, in token_locked_wrapper
    f_result = func(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/tokenclass.py", line 456, in authenticate
    otp_counter = self.check_otp(otpval, options=options)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/decorators.py", line 45, in token_locked_wrapper
    f_result = func(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/tokens/totptoken.py", line 360, in check_otp
    symetric=True)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/log.py", line 155, in log_wrapper
    return func(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/tokens/HMAC.py", line 155, in checkOtp
    otpval = self.generate(c)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/tokens/HMAC.py", line 121, in generate
    hmac = self.hmac(counter=counter, key=key)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/tokens/HMAC.py", line 83, in hmac
    dig = self.secretObj.hmac_digest(data_input, self.hashfunc)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/crypto.py", line 128, in hmac_digest
    self._setupKey_()
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/crypto.py", line 150, in _setupKey_
    akey = decrypt(self.val, self.iv)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/log.py", line 155, in log_wrapper
    return func(*args, **kwds)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/crypto.py", line 393, in decrypt
    res = hsm.decrypt(to_bytes(enc_data), to_bytes(iv), key_id=key_id)
  File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/security/default.py", line 495, in decrypt
    data = binascii.unhexlify(output)
binascii.Error: Non-hexadecimal digit found

You can guide me what causing this security problem?

cornelinux · January 26, 2021, 3:28pm

This is not a security problem.

Look at the last list of the traceback.

You get and error of unallowed characters during decrypt.
The seeds of the tokens are stored in an encrypted way in the database.
This is also true for LinOTP.

So you are either not using the same encryption key in privacyIDEA like in LinOTP or you have not reencrypted the data.

Having deeper knowledge either in LinOTP or in privacyIDEA helps a lot with this migration.

Light · January 27, 2021, 7:57pm

Ok i did it!!! Thanks.
The problem was with the enckey.

Now another question, now i have one privacyidea with linotp totp tokens i just migrated and another privacyidea with totp tokens.
Can i merge them to one server or i can’t because enckey is different?

cornelinux · January 27, 2021, 9:31pm

This is possible similar to the linotp migration script.
But there is no ready made tool for this.

You probably would have done better to migrate the linotp data into the privacyidea with the existing tokens.