SSO WEBUI - windows users automatic login

rinalds · August 29, 2020, 7:19pm

Hello I tried to enable SSO according to manual https://privacyidea.readthedocs.io/en/latest/policies/webui.html, but unfortunately can not get working

Here is my privacyidea.conf

# For Apache 2.4 you need to set this:
# Require all granted
Options FollowSymLinks
AllowOverride None

            SSLRequireSSL
            AuthType Kerberos
            AuthName "Kerberos Logins"
            KrbMethodNegotiate On
            KrbMethodK5Passwd On
            KrbAuthRealms COMPANY.LV
            Krb5KeyTab /etc/apache2/http.keytab
            KrbServiceName HTTP
            KrbSaveCredentials On
            <RequireAny>
            # Either we need a URL with no authentication or we need a valid user
            <RequireAny>
                    # Any of these URL do NOT need a basic authentication
                  Require expr %{REQUEST_URI} =~ m#^/validate#
                  Require expr %{REQUEST_URI} =~ m#^/ttype#
            </RequireAny>
            Require valid-user
            </RequireAny>
    </Directory>

And there are errors I got
[Sat Aug 29 21:53:40.946991 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] mod_wsgi (pid=2308): Exception occurred processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.
[Sat Aug 29 21:53:40.947555 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] Traceback (most recent call last):
[Sat Aug 29 21:53:40.947746 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] File “/opt/privacyidea/lib/python3.6/site-packages/flask/app.py”, line 2446, in wsgi_app
[Sat Aug 29 21:53:40.947776 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] response = self.full_dispatch_request()
[Sat Aug 29 21:53:40.947806 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] File “/opt/privacyidea/lib/python3.6/site-packages/flask/app.py”, line 1951, in full_dispatch_request
[Sat Aug 29 21:53:40.947821 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] rv = self.handle_user_exception(e)
[Sat Aug 29 21:53:40.947848 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] File “/opt/privacyidea/lib/python3.6/site-packages/flask/app.py”, line 1820, in handle_user_exception
[Sat Aug 29 21:53:40.947866 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] reraise(exc_type, exc_value, tb)
[Sat Aug 29 21:53:40.947893 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] File “/opt/privacyidea/lib/python3.6/site-packages/flask/_compat.py”, line 39, in reraise
[Sat Aug 29 21:53:40.947906 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] raise value
[Sat Aug 29 21:53:40.947932 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] File “/opt/privacyidea/lib/python3.6/site-packages/flask/app.py”, line 1949, in full_dispatch_request
[Sat Aug 29 21:53:40.947948 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] rv = self.dispatch_request()
[Sat Aug 29 21:53:40.947975 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] File “/opt/privacyidea/lib/python3.6/site-packages/flask/app.py”, line 1935, in dispatch_request
[Sat Aug 29 21:53:40.947981 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] return self.view_functionsrule.endpoint
[Sat Aug 29 21:53:40.947992 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] File “/opt/privacyidea/lib/python3.6/site-packages/privacyidea/webui/login.py”, line 115, in single_page_application
[Sat Aug 29 21:53:40.947998 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] if is_remote_user_allowed(request):
[Sat Aug 29 21:53:40.948010 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] File “/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/lib/prepolicy.py”, line 1160, in is_remote_user_allowed
[Sat Aug 29 21:53:40.948035 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] realm=realm).action_values(unique=False)
[Sat Aug 29 21:53:40.948049 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] File “/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policy.py”, line 2310, in action_values
[Sat Aug 29 21:53:40.948055 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] self._g.audit_object.audit_data.setdefault(“policies”, []).append(p_name)
[Sat Aug 29 21:53:40.948079 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] AttributeError: ‘NoneType’ object has no attribute ‘audit_data’
[Sat Aug 29 21:53:40.948100 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894]
[Sat Aug 29 21:53:40.948106 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] During handling of the above exception, another exception occurred:
[Sat Aug 29 21:53:40.948111 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894]
[Sat Aug 29 21:53:40.948122 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] Traceback (most recent call last):
[Sat Aug 29 21:53:40.948164 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] File “/opt/privacyidea/lib/python3.6/site-packages/flask/app.py”, line 2463, in call
[Sat Aug 29 21:53:40.948176 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] return self.wsgi_app(environ, start_response)
[Sat Aug 29 21:53:40.948192 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] File “/opt/privacyidea/lib/python3.6/site-packages/flask/app.py”, line 2449, in wsgi_app
[Sat Aug 29 21:53:40.948199 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] response = self.handle_exception(e)
[Sat Aug 29 21:53:40.948210 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] File “/opt/privacyidea/lib/python3.6/site-packages/flask/app.py”, line 1878, in handle_exception
[Sat Aug 29 21:53:40.948219 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] server_error = handler(server_error)
[Sat Aug 29 21:53:40.948230 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] File “/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/lib/postpolicy.py”, line 130, in policy_wrapper
[Sat Aug 29 21:53:40.948236 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] response = wrapped_function(*args, **kwds)
[Sat Aug 29 21:53:40.948247 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] File “/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/before_after.py”, line 380, in internal_error
[Sat Aug 29 21:53:40.948253 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] g.audit_object.log({“info”: six.text_type(error)})
[Sat Aug 29 21:53:40.948272 2020] [wsgi:error] [pid 2308:tid 140033986033408] [remote 10.99.120.8:64894] AttributeError: ‘NoneType’ object has no attribute ‘log’

Please point me to right direction.
Thank You

P.S.
I am new to apache and linux, so my problem might seem dumb

laclaro · September 4, 2020, 12:38pm

Hello,

welcome!

I am not sure whether these errors are even related to your apache2 configuration. Did the installation run before with the default apache2 conf files? How did you install?

You should check the permissions of /opt/privacyidea /var/log/privacyidea and /etc/privacyidea.

Best,

Henning

rinalds · September 4, 2020, 6:08pm

Yes this is working server.
I continue to use it with default install (Ubuntu 18.04 repo), but out of working hours playing with another copy of apache config file.
External access is enabled and keytab file is correctly generated and seems to work (I can get kerb ticket with it)
Also It seems to login, because from domain client with delegation enabled it seems to log in (not asking credentials), but if this is done from non domain client its shows password prompt, that is failing with same errors.
So I guess problem is with my poor knowledge of Apache config and error is within this Apache config part, what should be added according to instruction.
R

laclaro · September 8, 2020, 7:10am

Did you check both privacyIDEA log and apache2 log?

plettich · September 29, 2020, 3:12pm

This is actually an error in privacyIDEA, the before_request for the login route does not initialize the audit object.
I opened a GitHub issue: