Dear privacyIDEA-Team,
after implementing privacyIDEA via Ubuntu-Packages (16.04) and migrating Token, Resolver and Realms via the Migration Script from LinOTP, everything works fine (SO FAR). The clients, which had a TOTP in LinOTP, can succesfully validate their token with the URL-Check. Anyhow: By viewing the log (INFO and DEBUG) I am wondering, why LDAP-Queries for certain user happen twice. One with wrong Credentials(AD-PW+OTP) and the next time after with correct credentials (AD-PW).
To be more precise:
User1: di12345; Realm=dh; Resolver: dhcom --> One LDAP Query with success
User2: a123456; Realm=dh; Resolver: dhcom --> Two LDAP Queries, last with success
I added a few log.debugs in the lib/resolvers/LDAPResolver (privacyidea.log):
Wrong Credential:
[2018-08-09 14:02:56,771][1205][140655766451968][DEBUG][privacyidea.lib.resolver:197] Exiting get_resolver_object with result <privacyidea.lib.resolvers.LDAPIdResolver.IdResolver object at 0x7fecc567afd0>
[2018-08-09 14:02:56,776][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:791] Added ldapserverONE, None, False to server pool.
[2018-08-09 14:02:56,776][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:282] Authtype: uāSimpleā
[2018-08-09 14:02:56,776][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:283] user : uāCN=a440216,CN=Users,DC=dh-com,DC=continental,DC=steelā
[2018-08-09 14:02:56,782][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:298] self.authtype: uāSimpleā
[2018-08-09 14:02:56,782][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:299] server_pool: ServerPool(servers=[Server(host=uāldapserverONEā, port=389, use_ssl=False, allowed_referral_hosts=[(ā*ā, True)]$
[2018-08-09 14:02:56,782][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:300] password: uāAD-PW047805ā
[2018-08-09 14:02:56,782][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:301] self.timeout: 20.0
[2018-08-09 14:02:56,783][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:302] not self.noreferrals: False
[2018-08-09 14:02:56,783][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:303] self.start_tls: False
[2018-08-09 14:02:56,783][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:304] bind result: False
[2018-08-09 14:02:56,783][1205][140655766451968][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:311] failed to check password for uāa440216ā/uāCN=a440216,CN=Users,DC=dh-com,DC=continental,DC=steelā: Exception(āWrong credentialsā,)
[2018-08-09 14:02:56,783][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:312] Traceback (most recent call last):
File ā/usr/lib/python2.7/dist-packages/privacyidea/lib/resolvers/LDAPIdResolver.pyā, line 306, in checkPass
raise Exception(āWrong credentialsā)
Exception: Wrong credentials
Success:
[2018-08-09 14:02:56,790][1205][140655766451968][DEBUG][privacyidea.lib.resolver:197] Exiting get_resolver_object with result <privacyidea.lib.resolvers.LDAPIdResolver.IdResolver object at 0x7fecc567afd0>
[2018-08-09 14:02:56,791][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:205] Reading uāa440216ā from cache for ā_getDNā
[2018-08-09 14:02:56,792][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:791] Added ldapserverONE, None, False to server pool.
[2018-08-09 14:02:56,792][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:282] Authtype: uāSimpleā
[2018-08-09 14:02:56,792][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:283] user : uāCN=a440216,CN=Users,DC=dh-com,DC=continental,DC=steelā
[2018-08-09 14:02:56,797][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:298] self.authtype: uāSimpleā
[2018-08-09 14:02:56,797][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:299] server_pool: ServerPool(servers=[Server(host=uāldapserverONEā, port=389, use_ssl=False, allowed_referral_hosts=[(ā*ā, True)]$
[2018-08-09 14:02:56,798][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:300] password: uāAD-PWā
[2018-08-09 14:02:56,798][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:301] self.timeout: 20.0
[2018-08-09 14:02:56,798][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:302] not self.noreferrals: False
[2018-08-09 14:02:56,798][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:303] self.start_tls: False
[2018-08-09 14:02:56,798][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:304] bind result: True
[2018-08-09 14:02:56,798][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:307] bind seems successful.
[2018-08-09 14:02:56,799][1205][140655766451968][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:309] unbind successful.
[2018-08-09 14:02:56,800][1205][140655766451968][DEBUG][privacyidea.lib.user:357] Successfully authenticated user User(login=uāa440216ā, realm=uādhā, resolver=uādh-comadā).
[2018-08-09 14:02:56,800][1205][140655766451968][DEBUG][privacyidea.lib.user:197] Exiting check_password with result a440216@dh
Please let me know, if you need more information!
Thanks in advance.
Best wishes
Axel