Problem authenticating one user against Active Directory

Hello,

we use active directory as resolver and one of our users can’t log into the webisite using his AD Credentials.
The log file shows that privacyidea tries to use “none” as username against out ad servers?

[2019-03-27 09:39:19,210][21847][139731737429760][INFO][privacyidea.lib.user:230] user u’firstname.lastname’ found in resolver u’company-AD’
[2019-03-27 09:39:19,211][21847][139731737429760][INFO][privacyidea.lib.user:231] userid resolved to ‘61315c70-8313-47c7-9d53-3af1e7cc778c’
[2019-03-27 09:39:19,213][21847][139731737429760][INFO][privacyidea.lib.user:346] User u’firstname.lastname’ from realm u’company’ tries to authenticate
[2019-03-27 09:39:19,229][21847][139731737429760][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:303] failed to check password for ‘61315c70-8313-47c7-9d53-3af1e7cc778c’/u’offce\None’: Exception(‘Wrong credentials’,)
[2019-03-27 09:39:19,230][21847][139731737429760][INFO][privacyidea.lib.user:359] user User(login=u’firstname.lastname’, realm=u’company’, resolver=u’company-AD’) failed to authenticate.

We also have a test server that is the same setup but there the correct username is used for auth for this user.

Any idea why privacyidea is doing this for this particular user?

This version works
dpkg -l privacy*
Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten
| Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/
Halb installiert/Trigger erWartet/Trigger anhängig
|/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht)
||/ Name Version Architektur Beschreibung
++±==============-============-============-=================================
un privacyidea (keine Beschreibung vorhanden)
ii privacyidea-ap 2.22.1-1trus all 2FA system. This is a meta packag
un privacyidea-ng (keine Beschreibung vorhanden)
ii privacyidea-ra 2.22.1-1trus all FreeRADIUS module for privacyIDEA

this doesn’t
dpkg -l privacy*
Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten
| Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/
Halb installiert/Trigger erWartet/Trigger anhängig
|/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht)
||/ Name Version Architektur Beschreibung
++±=====================================================-===============================-===============================-===============================================================================================================
un privacyidea (keine Beschreibung vorhanden)
ii privacyidea-apache2 2.23.5-1trusty all 2FA system. This is a meta package to install privacyidea with apache2
un privacyidea-nginx (keine Beschreibung vorhanden)
ii privacyidea-radius 2.23.5-1trusty all FreeRADIUS module for privacyIDEA, OTP authentication

Thanks

It could be, that you are hitting this issue:

This is fixed in ldap3 version 2.6.
We will ship privacyIDEA 3.0 with this new version.

You can use a special resolver for this very user and e.g. resolve for DN.

Hello Cornelius,

i’m not sure how the resolver for that one person should look like.
If i set the BaseDN to his DN i get this error:

[INFO][privacyidea.lib.resolvers.LDAPIdResolver:415] The filter u’(&(sAMAccountName=*)(objectClass=person)(objectGUID=\70\5c\31\61\13\83\c7\47\9d\53\3a\f1\e7\cc\77\8c))’ returned no DN.
[2019-04-04 10:46:35,611][18564][139731754215168][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:303] failed to check password for ‘61315c70-8313-47c7-9d53-3af1e7cc778c’/’’: Exception(‘No valid user. Empty bind_user.’,)

Could you give me a hint :wink:

You can add a single resolver that looks like the original one.
Add a filter with (sAMAccountName=theUserName). (theUserName being the problematic user).

In this resolver do not use the objectGUID but the sAMAccountName for the user.

In addition you could exclud this single user from the original resolver.
Add this resolver to your realm.

ldap3 version 2.6 has fixed this issue.