Problems with LDAP-Resolver

Dear PrivacyIDEA Community,

I have installed a small setup for a vpn-solution. Mostly everything works like a charm. Only thing, which causes me some headache, is one LDAP-Server (Windows Server 2012 R2).

If I test the connection to the Server within the resolver settings everything is ok. Even adding and removing users from the respected group works like a charm and the right number of users is chown in privacyIDEA.

But when I open the realm with the resolver no users appear. I already checked the logs and it seems like it is some kind of encoding issue.

This is the output when the resolver tries to fetch the user:

[ERROR][privacyidea.lib.user:651] UnicodeDecodeError(‘ascii’, ‘X7wuAvV\xc2\xa7’, 7, 8, 'ordinal not in range(128)

Unfortunately I have no idea of programming, so I am not able to fix this issue myself.

Best regards

Hi Baltic,

this error shouldn’t happen There were some issues with unicode encoding and decoding in earlier versions of privacyIDEA, but they should have been fixed by now.

Could you tell us the versions of the privacyIDEA, ldap3 and pyasn1 packages? You can obtain them via pip freeze.

Could you retry with the DEBUG logging level? Then, the log should also contain the traceback for the above error which would be helpful.

Best Regards

Friedrich

Hi Friedrich,

thank you for your fast reply! By putting the instance on debug logging level I could trace the issue back already and found a workaround. Obviously its a problem with the NTLM-Bind to the LDAP-Server. After switching to Simple-Bind everything works fine and PrivacyIDEA imports the users as it is supposed to.

Here is the requested additional information:

privacyIDEA==2.22.1
ldap3==2.1.1
pyasn1==0.1.9

[2018-07-17 10:52:37,609][1294][140317935113984][ERROR][privacyidea.lib.user:651] UnicodeDecodeError(‘ascii’, ‘X7wuAvV\xc2\xa7’, 7, 8, ‘ordinal not in range(128)’)
[2018-07-17 10:52:37,609][1294][140317935113984][DEBUG][privacyidea.lib.user:652] Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py”, line 637, in get_user_list
ulist = y.getUserList(searchDict)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”, line 571, in getUserList
self._bind()
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”, line 435, in _bind
if not self.l.bind():
File “/usr/lib/python2.7/dist-packages/ldap3/core/connection.py”, line 543, in bind
response = self.do_ntlm_bind(controls)
File “/usr/lib/python2.7/dist-packages/ldap3/core/connection.py”, line 1236, in do_ntlm_bind
request = bind_operation(self.version, ‘SICILY_RESPONSE_NTLM’, ntlm_client, result[‘server_creds’])
File “/usr/lib/python2.7/dist-packages/ldap3/operation/bind.py”, line 75, in bind_operation
server_creds = name.create_authenticate_message()
File “/usr/lib/python2.7/dist-packages/ldap3/utils/ntlm.py”, line 379, in create_authenticate_message
nt_challenge_response = self.compute_nt_response()
File “/usr/lib/python2.7/dist-packages/ldap3/utils/ntlm.py”, line 485, in compute_nt_response
response_key_nt = self.ntowf_v2()
File “/usr/lib/python2.7/dist-packages/ldap3/utils/ntlm.py”, line 496, in ntowf_v2
password_digest = hashlib.new(‘MD4’, self._password.encode(‘utf-16-le’)).digest()
UnicodeDecodeError: ‘ascii’ codec can’t decode byte 0xc2 in position 7: ordinal not in range(128)

[2018-07-17 10:52:37,609][1294][140317935113984][DEBUG][privacyidea.lib.user:197] Exiting get_user_list with result []
[2018-07-17 10:52:37,630][1294][140317935113984][DEBUG][privacyidea.api.lib.utils:245] Can not get param: No JSON object could be decoded

Thanky you very much and best regards,
Nils

Hi Nils,

nice to hear you got it working and that simple bind also works for you! This appears to be a bug with non-ASCII NTLM bind passwords, so I opened an issue. Thanks for pointing this out!

Best Regards

Friedrich