Reset_all_user_tokens issue

speedy · September 5, 2018, 5:43pm

If passthru:userstore is used in an authentication policy, it appears that reset_all_user_tokens causes a conflict, and denies access. is this by design or a bug? I would expect the behavior to only apply to those with tokens. Thanks

cornelinux · September 5, 2018, 8:39pm

Can you please tell more about the “conflict”, that is caused?
Do you have an error message or/and the output of the privacyidea.log?
Thanks a lot!

speedy · September 5, 2018, 8:47pm

In the audit log, I get “Contradicting passthru policies.” for users who do not have a token, and when reset_all_user_token is selected. If I de-select reset_all_user_token, then the users can authenticate. If you need more info, I’m happy to supply it if you can tell me where to look!
Thanks

cornelinux · September 5, 2018, 8:54pm

This actually happens in privacyidea/lib/policydecorators.py in the auth_user_passthru.
You are running 2.23?
Are you sure, that you only have one passthru policy? This code should only be called if more than one passthru policies match. So please re-check your policies!

speedy · September 5, 2018, 9:06pm

correct. 2.23 from the PPA. Correct, I only have the single passthru policy.

cornelinux · September 5, 2018, 9:45pm

Sorry, can not reproduce with policies:

scope=AUTH, action=reset_all_tokens
scope=AUTH, action=passthru:userstore

/validate/check for a user without a token works out fine.

speedy · September 5, 2018, 11:59pm

odd… thank you for checking. I’ll try again tomorrow. are you using one policy or two? I was using a single policy. could that have been my issue?

cornelinux · September 6, 2018, 9:39am

I am using two policies. Should not matter.

Here is the testcase

with policy “pthru” and “reset_all_tokens”.

speedy · September 6, 2018, 4:11pm

I just tested this again. it appears that in a single policy with the following doesn’t work
authentication { "passthru": "userstore", "otppin": "userstore" "reset_all_user_tokens": true }

If I remove { "reset_all_user_tokens": true } from the original policy and create a second policy with authentication { "reset_all_user_tokens": true }, then it seems to work

cornelinux · September 7, 2018, 2:54pm

I am sorry. I absolutely can not reproduce this.
You need to take a look into your privacyidea.log.
Or use privacyidea-diag, you may have a rathe special combination of configurations.

speedy · September 7, 2018, 3:00pm

thanks for taking a look. my setup is pretty vanilla, but I am using AD/LDAP as my userstore. It’s not a blocker for my POC. I"ll do what you suggest. Thanks again!

fredreichbier · September 11, 2018, 9:42am

Just for the record: The error indeed seems like privacyIDEA wrongly concludes there are conflicting policies. This should only happen if there are multiple policies with the same priority that disagree on the value of the “passthru” action. So it definitely shouldn’t happen if you only have one policy. :-/ Would be really interesting if we would be able to reproduce this.