Hi Cornelius,
Just to confirm, I created an empty realm and set it as default, and
the decyrption of the enckey works. so it seems the system checking
the user’s realm before the local admin.
Regards,
Sherif
On Friday, December 4, 2015 at 3:54:23 PM UTC, Cornelius Kölbel wrote:
Hi Sherif,
thanks a lot for the details.
I can confirm this.
If the default realm contains an LDAP-Resolver with a BIND-PW
you can
not login with a local administrator.
https://github.com/privacyidea/privacyidea/issues/280
I will dig into this.
Kind regards
Cornelius
Am Freitag, den 04.12.2015, 07:45 -0800 schrieb Sherif Nagy:
> Hi Cornelius,
>
>
> I guess I knew what is wrong, so here is what I have done:
>
>
> - Disabled all the policies " I have the one for u2f auth,
weblogin
> and one for users login " and still got the same error.
> - Take out the usersresolvers from the default realm and
the
> decryption of the key will work like a charm.
> - I have LDAP resolver and passwd one, I noticed just a
message in the
> log says looking for /etc/passwd in /home/privacyidea, that
is why I
> thought to disable the usersource.
>
>
> So I guess the realm usersources runs before the local admin
ones ?
>
>
> Regards,
> Sherif
>
> On Friday, December 4, 2015 at 3:29:35 PM UTC, Sherif Nagy wrote:
> okay let me disable the policies and will let you
know if it
> works or not and which policies I have :)
>
>
> Sherif
>
> On Friday, December 4, 2015 at 3:25:06 PM UTC, Cornelius Kölbel wrote:
> Hi Sherif,
>
> So for some reason the server returns an
error.
> I could image due to some things it is doing
_before_
> checking the
> admins password. And in doing this stuff, it
might run
> into a problem,
> since the encryption key does not exist,
yet.
>
> E.g. this could be some policies, which need
the
> encryption key when
> being checked.
>
> So can you please tell, what policies you
have defined
> and also take a
> look into the servers log file?
>
> THanks a lot
> Cornelius
>
>
> Am Freitag, den 04.12.2015, 07:18 -0800
schrieb Sherif
> Nagy:
> > It's the local admin that has been added
by
> pi-manage admin command
> >
> >
> > Sherif
> >
> > On Friday, December 4, 2015 at 3:06:09 PM UTC, Cornelius Kölbel wrote:
> > Is this a local admin?
> > Or is it an admin in a
superuser-realm?
> >
> > If it is a local admin, which was
added by
> >
> > pi-manage admin
> >
> > it should(TM) work, since the
encryption
> keys are not used in
> > this case.
> >
> > If it is an admin in a
superuser-realm in
> e.g. an LDAP, it
> > will not
> > work, since PI can not decrypt the
LDAP
> password to find the
> > admin in
> > the LDAP.
> >
> > Kind regards
> > Cornelius
> >
> > Am Freitag, den 04.12.2015, 07:02
-0800
> schrieb Sherif Nagy:
> > > Hello again,
> > >
> > >
> > > So before encrypting the enckey,
I am
> getting securitymodule
> > value
> > > true "after upgrading to
2.7devX, I
> encrypt the enckey,
> > paste the data
> > > and replace the file, restart
Apache, run
> again the command
> > to check
> > > the status " should be false or
HSM not
> ready, but I am
> > getting the
> > > below error:
> > >
> > >
> > > Traceback (most recent call
last):
> > > File "/usr/bin/privacyidea",
line 1467,
> in <module>
> > > main()
> > > File "/usr/bin/privacyidea",
line 1462,
> in main
> > >
no_ssl_check=args.nosslcheck)
> > > File
> > >
> >
>
"/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py",
> > > line 96, in __init__
> > >
self.set_credentials(username,
> password)
> > > File
> > >
> >
>
"/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py",
> > > line 129, in set_credentials
> > > raise Exception("Invalid
Credentials:
> %s" %
> > r.status_code)
> > > Exception: Invalid Credentials:
400
> > >
> > >
> > > and the admin password is
correct, I
> replace the encrypted
> > key file
> > > with none encrypted , restart
apache and
> try again to check
> > the
> > > status, and I get True.
> > >
> > >
> > > Do I need to re-add the admin
user ?
> > >
> > >
> > > Regards,
> > > Sherif
> > >
> > >
> > > On Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy wrote:
> > > Hi Cornelius,
> > >
> > > Oh yep the
privacyideaadm is
> 2.5 :/ will update
> > now :) thank
> > > you
> > >
> > >
> > > Sherif
> > >
> > > On Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius Kölbel wrote:
> > > Hi Sherif,
> > >
> > > you need at
least version
> 2.7dev1.
> > > Hm, should
release
> privacyideaadm
> > 2.7... :-/
> > >
> > > I guess you have
2.5?
> > > Oh, it is not
available
> from launchpad
> > >
> ppa:privacyidea/privacyidea-dev
> > > (will just
upload)
> > > Or you can
install it via
> pip.
> > >
> > > Kind regards
> > > Cornelius
> > >
> > > Am Freitag, den
> 04.12.2015, 04:41 -0800
> > schrieb Sherif
> > > Nagy:
> > > > Hi Cornelius,
> > > >
> > > >
> > > > I did try the
following
> command " still
> > did not
> > > encrypt my key
yet,
> > > > and I am
getting the
> following error:
> > > >
> > > >
> > > > #privacyidea
-U
> https://localhost
> > --admin=admin
> > > --nosslcheck
> > > >
securitymodule
> > > >
> > > >
> > >
> >
>
> /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
> > > >
InsecureRequestWarning:
> Unverified HTTPS
> > request is
> > > being made.
Adding
> > > > certificate
verification
> is strongly
> > advised. See:
> > > >
> > >
> >
>
https://urllib3.readthedocs.org/en/latest/security.html (This
> > warning
> > > > will only
appear once by
> default.)
> > > >
> InsecureRequestWarning)
> > > > This is the
> configuration of your active
> > Security
> > > module:
> > > >
> > > >
> > > > Traceback
(most recent
> call last):
> > > > File
> "/usr/bin/privacyidea", line 1321,
> > in
> > > <module>
> > > > main()
> > > > File
> "/usr/bin/privacyidea", line 1317,
> > in main
> > > >
args.func(args,
> client)
> > > > File
> "/usr/bin/privacyidea", line 683,
> > in
> > > securitymodule
> > > > r1 =
> client.securitymodule(param={})
> > > > File
> > > >
> > >
> >
>
"/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py",
> > > > line 226, in
> securitymodule
> > > > return
> > >
> self.connect('/system/setupSecurityModule',
> > param)
> > > >
AttributeError:
> 'privacyideaclient' object
> > has no
> > > attribute
'connect'
> > > >
> > > >
> > > > Any idea what
might be
> the issue ?
> > > >
> > > >
> > > > Regards,
> > > > Sherif
> > > >
> > > > On Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote:
> > > > Hi
Sherif,
> > > >
> > > > take a
look
> here:
> > > >
> > >
> >
>
http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule
> > > >
> > > > To
encrypt the
> enckey, you can use
> > the
> > > script
> > > >
> > > >
pi-manage
> encrypt_enckey
> > <filename>
> > > >
> > > > This
will not
> overwrite the file.
> > The
> > > encrypted data
will be
> > > >
written to
> > > >
stdout. You can
> either pipe these
> > or paste
> > > it.
> > > >
> > > > You
may also
> want to make a backup
> > of the
> > > encryption key,
> > > >
anyway!
> > > >
> > > > When
you restart
> the apache it
> > will start
> > > quite normal.
> > > > But at
certain
> points, when data
> > needs to be
> > > encrypted or
> > > >
decrypted you
> > > > will
get the
> error:
> > > >
> > > >
ERR707:
> hsm not ready!
> > > >
> > > > You
can also
> check this at the
> > command line
> > > after
> > > >
(re)-starting
> the
> > > >
apache:
> > > >
> > > > #
privacyidea
> -U
> > https://localhost/pi
> > > --admin=super
> > > >
--nosslcheck \
> > > >
> securitymodule
> > > > Please
enter
> password for
> > 'super':
> > > > This
is the
> configuration of your
> > active
> > > Security
module:
> > > > {
u'status':
> True, u'value': {
> > > u'is_ready':
False}}
> > > >
> > > >
"is_ready":
> False shows you, that
> > the
> > > encryption key
is not
> > > > ready
to be
> > > > used.
> > > >
> > > > So you
need to
> run:
> > > >
> > > > #
privacyidea
> -U
> > https://localhost/pi
> > > --admin=super
> > > >
--nosslcheck \
>
> > > >
> securitymodule
> > --module=default
> > > >
> > > > Please
enter
> password for
> > 'super':
> > > > Please
enter
> password for security
> > module
> > > 'default':
> > > >
Setting the
> password of your
> > security module
> > > default
> > > > {
u'status':
> True, u'value': {
> > > u'is_ready':
True}}
> > > >
> > > > Now,
"is_ready":
> True shows you,
> > that the
> > > encryption key
can
> > > > be
used by
> > > >
privacyIDEA...
> > > >
> > > > Take
care and do
> backups ;-)
> > > > I do
not know,
> who uses it
> > productively at
> > > the moment.
> > > >
> > > > Kind
regards
> > > >
Cornelius
> > > >
> > > >
> > > > Am
Freitag, den
> 04.12.2015, 02:03
> > -0800
> > > schrieb Sherif
Nagy:
> > > > >
Hello,
> > > > >
> > > > >
> > > > > So I
am
> thinking to encrypt my
> > encKey with
> > > a password,
> > > >
however I have
> > > > > few
> questions:
> > > > >
> > > > >
> > > > > 1-
This will
> encrypt the current
> > key, will
> > > not generate a
> > > > new
key ? so
> > > > > I
don't lose
> the tokens and data
> > in the
> > > Database
already
> > > > > 2-
When I
> start the service
> > using
> > > systemctl or
service " I
> > > > am
using
> > > > > deb
> privacyidea-apache2 package,
> > will that
> > > work and asks
me
> > > > to
decrypt
> > > > > the
enckey ?
> if not, how I can
> > decrypt the
> > > enckey in this
> > > >
case ?
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
Regards,
> > > > >
Sherif
> > > > > --
> > > > > You
received
> this message
> > because you are
> > > subscribed to
the
> > > >
Google
> > > > >
Groups
> "privacyidea" group.
> > > > > To
unsubscribe
> from this group
> > and stop
> > > receiving
emails
> > > > from
it, send
> > > > > an
email to
> > >
> privacyidea...@googlegroups.com.
> > > > > To
post to
> this group, send
> > email to
> > > >
> priva...@googlegroups.com.
> > > > > To
view this
> discussion on the
> > web visit
> > > > >
> > > >
> > >
> >
>
https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com.
> > > > > For
more
> options, visit
> > >
> https://groups.google.com/d/optout.
> > > >
> > > > --
> > > >
Cornelius
> Kölbel
> > > >
> corneliu...@netknights.it
> > > > +49
151 2960
> 1417
> > > >
> > > >
NetKnights GmbH
> > > >
> http://www.netknights.it
> > > >
> Landgraf-Karl-Str. 19, 34131
> > Kassel,
> > > Germany
> > > > Tel:
+49 561
> 3166797, Fax: +49 561
> > 3166798
> > > >
> > > >
Amtsgericht
> Kassel, HRB 16405
> > > >
Geschäftsführer:
> Cornelius Kölbel
> > > >
> > > >
> > > > --
> > > > You received
this
> message because you are
> > subscribed
> > > to the Google
> > > > Groups
"privacyidea"
> group.
> > > > To unsubscribe
from this
> group and stop
> > receiving
> > > emails from it,
send
> > > > an email to
> > privacyidea...@googlegroups.com.
> > > > To post to
this group,
> send email to
> > >
> priva...@googlegroups.com.
> > > > To view this
discussion
> on the web visit
> > > >
> > >
> >
>
https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com.
> > > > For more
options, visit
> > >
> https://groups.google.com/d/optout.
> > >
> > > --
> > > Cornelius
Kölbel
> > >
corneliu...@netknights.it
> > > +49 151 2960
1417
> > >
> > > NetKnights GmbH
> > >
http://www.netknights.it
> > >
Landgraf-Karl-Str. 19,
> 34131 Kassel,
> > Germany
> > > Tel: +49 561
3166797, Fax:
> +49 561 3166798
> > >
> > > Amtsgericht
Kassel, HRB
> 16405
> > > Geschäftsführer:
Cornelius
> Kölbel
> > >
> > >
> > > --
> > > You received this message
because you are
> subscribed to the
> > Google
> > > Groups "privacyidea" group.
> > > To unsubscribe from this group
and stop
> receiving emails
> > from it, send
> > > an email to
> privacyidea...@googlegroups.com.
> > > To post to this group, send
email to
> > priva...@googlegroups.com.
> > > To view this discussion on the
web visit
> > >
> >
>
https://groups.google.com/d/msgid/privacyidea/799090b8-3ca3-48de-a48e-02d9943a0e8d%40googlegroups.com.
> > > For more options, visit
> https://groups.google.com/d/optout.
> >
> > --
> > Cornelius Kölbel
> > corneliu...@netknights.it
> > +49 151 2960 1417
> >
> > NetKnights GmbH
> > http://www.netknights.it
> > Landgraf-Karl-Str. 19, 34131
Kassel,
> Germany
> > Tel: +49 561 3166797, Fax: +49 561
3166798
> >
> > Amtsgericht Kassel, HRB 16405
> > Geschäftsführer: Cornelius Kölbel
> >
> >
> > --
> > You received this message because you are
subscribed
> to the Google
> > Groups "privacyidea" group.
> > To unsubscribe from this group and stop
receiving
> emails from it, send
> > an email to
privacyidea...@googlegroups.com.
> > To post to this group, send email to
> priva...@googlegroups.com.
> > To view this discussion on the web visit
> >
>
https://groups.google.com/d/msgid/privacyidea/bf13cc4c-f993-4d4f-abd3-6573915962a8%40googlegroups.com.
> > For more options, visit
> https://groups.google.com/d/optout.
>
> --
> Cornelius Kölbel
> corneliu...@netknights.it
> +49 151 2960 1417
>
> NetKnights GmbH
> http://www.netknights.it
> Landgraf-Karl-Str. 19, 34131 Kassel,
Germany
> Tel: +49 561 3166797, Fax: +49 561 3166798
>
> Amtsgericht Kassel, HRB 16405
> Geschäftsführer: Cornelius Kölbel
>
>
> --
> You received this message because you are subscribed to the
Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails
from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to
priva...@googlegroups.com.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/privacyidea/a583bfc2-d95f-4eae-a67d-ab0032846c1d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/14cc0121-09da-42aa-ba7b-284fe0152ee7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.