Problem authenticating one user against Active Directory

bernhardknoll · March 27, 2019, 8:51am

Hello,

we use active directory as resolver and one of our users can’t log into the webisite using his AD Credentials.
The log file shows that privacyidea tries to use “none” as username against out ad servers?

[2019-03-27 09:39:19,210][21847][139731737429760][INFO][privacyidea.lib.user:230] user u’firstname.lastname’ found in resolver u’company-AD’
[2019-03-27 09:39:19,211][21847][139731737429760][INFO][privacyidea.lib.user:231] userid resolved to ‘61315c70-8313-47c7-9d53-3af1e7cc778c’
[2019-03-27 09:39:19,213][21847][139731737429760][INFO][privacyidea.lib.user:346] User u’firstname.lastname’ from realm u’company’ tries to authenticate
[2019-03-27 09:39:19,229][21847][139731737429760][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:303] failed to check password for ‘61315c70-8313-47c7-9d53-3af1e7cc778c’/u’offce\None’: Exception(‘Wrong credentials’,)
[2019-03-27 09:39:19,230][21847][139731737429760][INFO][privacyidea.lib.user:359] user User(login=u’firstname.lastname’, realm=u’company’, resolver=u’company-AD’) failed to authenticate.

We also have a test server that is the same setup but there the correct username is used for auth for this user.

Any idea why privacyidea is doing this for this particular user?

This version works
dpkg -l privacy*
Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten
| Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/
Halb installiert/Trigger erWartet/Trigger anhängig
|/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht)
||/ Name Version Architektur Beschreibung
++±==============-============-============-=================================
un privacyidea (keine Beschreibung vorhanden)
ii privacyidea-ap 2.22.1-1trus all 2FA system. This is a meta packag
un privacyidea-ng (keine Beschreibung vorhanden)
ii privacyidea-ra 2.22.1-1trus all FreeRADIUS module for privacyIDEA

this doesn’t
dpkg -l privacy*
Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten
| Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/
Halb installiert/Trigger erWartet/Trigger anhängig
|/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht)
||/ Name Version Architektur Beschreibung
++±=====================================================-===============================-===============================-===============================================================================================================
un privacyidea (keine Beschreibung vorhanden)
ii privacyidea-apache2 2.23.5-1trusty all 2FA system. This is a meta package to install privacyidea with apache2
un privacyidea-nginx (keine Beschreibung vorhanden)
ii privacyidea-radius 2.23.5-1trusty all FreeRADIUS module for privacyIDEA, OTP authentication

Thanks

cornelinux · March 27, 2019, 4:44pm

It could be, that you are hitting this issue:

This is fixed in ldap3 version 2.6.
We will ship privacyIDEA 3.0 with this new version.

You can use a special resolver for this very user and e.g. resolve for DN.

bernhardknoll · April 4, 2019, 8:47am

Hello Cornelius,

i’m not sure how the resolver for that one person should look like.
If i set the BaseDN to his DN i get this error:

[INFO][privacyidea.lib.resolvers.LDAPIdResolver:415] The filter u’(&(sAMAccountName=*)(objectClass=person)(objectGUID=\70\5c\31\61\13\83\c7\47\9d\53\3a\f1\e7\cc\77\8c))’ returned no DN.
[2019-04-04 10:46:35,611][18564][139731754215168][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:303] failed to check password for ‘61315c70-8313-47c7-9d53-3af1e7cc778c’/’’: Exception(‘No valid user. Empty bind_user.’,)

Could you give me a hint

cornelinux · April 24, 2019, 2:20pm

You can add a single resolver that looks like the original one.
Add a filter with (sAMAccountName=theUserName). (theUserName being the problematic user).

In this resolver do not use the objectGUID but the sAMAccountName for the user.

In addition you could exclud this single user from the original resolver.
Add this resolver to your realm.

ldap3 version 2.6 has fixed this issue.

avelor · July 1, 2022, 10:09am

@cornelinux hello! seems like we faced similar issue. One user can’t login to web interface:

[2022-07-01 10:49:12,058][244787][139964424177536][INFO][privacyidea.lib.user:252] user ‘XXXX’ found in resolver ‘XXXX’
[2022-07-01 10:49:12,058][244787][139964424177536][INFO][privacyidea.lib.user:254] userid resolved to ‘ef33345c-46e6-4811-a9a8-e8654b744b7b’
[2022-07-01 10:49:12,058][244787][139964424177536][INFO][privacyidea.lib.user:420] User ‘XXXX’ from realm ‘XXXX’ tries to authenticate
!!!Log Entry Secured by SecureFormatter!!! [2022-07-01 10:49:12,062][244787][139964424177536][INFO][privacyidea.lib.resolvers.LDAPIdResolver:491] The filter ‘(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=person)(memberof=XXXX)(objectGUID=\5c\34\33\ef\e6\46\11\48\a9\a8\e8\65\4b\74\4b\7b))’ returned no DN.
[2022-07-01 10:49:12,062][244787][139964424177536][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:370] failed to check password for ‘ef33345c-46e6-4811-a9a8-e8654b744b7b’/‘’: Exception(‘No valid user. Empty bind_user.’)

I’ve hide some sensitive data. It’s strange - doube slahes in hex objectGUID, but I don’t now - is it normal behavior or not. For now I’ll try to make an workaround with personal resolver, but it seems to be a bug or something like that.

We’re using lastest version of PrivacyIdea (3.7.1).

cornelinux · July 1, 2022, 4:08pm

In the virtualenv you need to downgrade ldap3 to version 2.8.1 or wait for a patch release of privacyIDEA.

avelor · July 3, 2022, 1:08pm

Oh, thank you. I’ve downgrade ldap3 and it works for now
personal resolver worked also, but it doesn’t seems cool solution. Anyway, I rember this workaround)
Thank you again!