Hi,
I have setup PrivacyIdea 3.3 and SimpleSAMLphp, and the privacyidea authproc filters for SSP.
When the SSP module makes a POST to /token/init to register a token for a user, PrivacyIdea responds with “Cannot pass user_object as well as user, resolver, realm in policy”
The SSP module is POSTing
'user' => 'steve.cirrus.stratus_gmail.com@monitor-invite-mfa',
'genkey' => 1,
'type' => 'totp',
'description' => 'Enrolled with simpleSAMLphp'
PrivacyIdea logs:
[2020-06-15 14:31:35,823][35][139747332105984][WARNING][privacyidea.lib.policy:672] Cannot pass user_object as well as user, resolver, realm in policy (None, 'admin', 'enrollTOTP'). <steve.cirrus.stratus_gmail.com.monitor-invite-mfa-sql-resolver@monitor-invite-mfa> - steve.cirrus.stratus_gmail.com@monitor-invite-mfa@None in resolver monitor-invite-mfa-sql-resolver
[2020-06-15 14:31:35,823][35][139747332105984][WARNING][privacyidea.lib.policy:673] Possible programming error: File "/opt/privacyidea/lib/python3.6/site-packages/flask/app.py", line 2463, in __call__
return self.wsgi_app(environ, start_response)
File "/opt/privacyidea/lib/python3.6/site-packages/flask/app.py", line 2446, in wsgi_app
response = self.full_dispatch_request()
File "/opt/privacyidea/lib/python3.6/site-packages/flask/app.py", line 1949, in full_dispatch_request
rv = self.dispatch_request()
File "/opt/privacyidea/lib/python3.6/site-packages/flask/app.py", line 1935, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/lib/prepolicy.py", line 151, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/lib/prepolicy.py", line 151, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/lib/prepolicy.py", line 150, in policy_wrapper
action=self.action)
File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/api/lib/prepolicy.py", line 1056, in check_token_init
user_object=request.User).allowed()
File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policy.py", line 2327, in allowed
policies_defined = self.any(write_to_audit_log=write_to_audit_log)
File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policy.py", line 2287, in any
return bool(self.policies(write_to_audit_log=write_to_audit_log))
File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policy.py", line 2279, in policies
**self._match_kwargs)
File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/log.py", line 194, in log_wrapper
f_result = func(*args, **kwds)
File "/opt/privacyidea/lib/python3.6/site-packages/privacyidea/lib/policy.py", line 668, in match_policies
tb_str = ''.join(traceback.format_stack())
[2020-06-15 14:31:35,824][35][139747332105984][DEBUG][privacyidea.lib.auditmodules.base:186] Entering log with arguments (<privacyidea.lib.auditmodules.sqlaudit.Audit object at 0x7f195cf566d8>, {'info': "ERR905: Cannot pass user_object as well as user, resolver, realm in policy (None, 'admin', 'enrollTOTP')"}) and keywords {}
(there are also a lot of earlier logs lines prior to the error).
I don’t have many policies (increased timeouts for logins, removed welcome message).
I’ve tried creating policies to address the above issue to no avail.
The privacyidea logs do say “Possible programming error”.
How do I diagnose this further?
Thanks.